131 55 2MB
English Pages 186 [198] Year 2022
779
Arithmetic, Geometry, Cryptography, and Coding Theory 2021 18th International Conference Arithmetic, Geometry, Cryptography, and Coding Theory May 31–June 4, 2021 Centre International de Rencontres Mathématiques, Marseille, France
Samuele Anni Valentijn Karemaker Elisa Lorenzo García Editors
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
Arithmetic, Geometry, Cryptography, and Coding Theory 2021 18th International Conference Arithmetic, Geometry, Cryptography, and Coding Theory May 31–June 4, 2021 Centre International de Rencontres Mathématiques, Marseille, France
Samuele Anni Valentijn Karemaker Elisa Lorenzo García Editors
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
779
Arithmetic, Geometry, Cryptography, and Coding Theory 2021 18th International Conference Arithmetic, Geometry, Cryptography, and Coding Theory May 31–June 4, 2021 Centre International de Rencontres Mathématiques, Marseille, France
Samuele Anni Valentijn Karemaker Elisa Lorenzo García Editors
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
EDITORIAL COMMITTEE Michael Loss, Managing Editor John Etnyre
Angela Gibney
Catherine Yan
2020 Mathematics Subject Classification. Primary 11G20, 11G30, 11G32, 11G40, 11T71, 14G10, 14H40, 14Q05, 20C20, 20G41.
For additional information and updates on this book, visit www.ams.org/bookpages/conm-779
Library of Congress Cataloging-in-Publication Data Names: International Conference on Arithmetic, Geometry, Cryptography and Coding Theory (18th: 2021: Marseille, France), author. | Anni, Samuele, 1985- editor. | Karemaker, Valentijn, 1990- editor. | Lorenzo Garc´ı, Elisa, 1987- editor. | Centre national de rencontres math´ematiques (France), host institution. Title: Arithmetic, geometry, cryptography and coding theory 2021 : 18th International Conference on Arithmetic, Geometry, Cryptography, and Coding Theory, May 31-June 4, 2021, Centre International de Rencontres Math´ ematiques, Marseille, France / Samuele Anni, Valentijn Karemaker, Elisa Lorenzo Garc´ıa, editors. Description: Providence, Rhode Island : American Mathematical Society, [2022] | Series: Contemporary mathematics, 0271-4132 ; volume 779 | Includes bibliographical references. Identifiers: LCCN 2022008520 | ISBN 9781470467944 (paperback) | 9781470470890 (ebook) Subjects: LCSH: Coding theory–Congresses. | Geometry, Algebraic–Congresses. | Cryptography– Congresses. | Number theory–Congresses. | AMS: Number theory – Arithmetic algebraic geometry (Diophantine geometry) – Curves over finite and local fields. | Number theory – Arithmetic algebraic geometry (Diophantine geometry) – Curves of arbitrary genus or genus = 1 over global fields. | Number theory – Arithmetic algebraic geometry (Diophantine geometry) – Arithmetic aspects of dessins d’enfants, Bely˘ı theory. | Number theory – Arithmetic algebraic geometry (Diophantine geometry) – L-functions of varieties over global fields; Birch-Swinnerton-Dyer conjecture. | Number theory – Finite fields and commutative rings (number-theoretic aspects) – Algebraic coding theory; cryptography (number-theoretic aspects). | Algebraic geometry – Zeta functions and related questions in algebraic geometry (e.g., Birch-Swinnerton-Dyer conjecture). | Algebraic geometry – Curves in algebraic geometry – Jacobians, Prym varieties. | Group theory and generalizations – Representation theory of groups – Modular representations and characters. | Group theory and generalizations – Linear algebraic groups and related topics – Exceptional groups. Classification: LCC QA268 .I57 2021 | DDC 512.7/4–dc23/eng20220528 LC record available at https://lccn.loc.gov/2022008520 Copying and reprinting. Individual readers of this publication, and nonprofit libraries acting for them, are permitted to make fair use of the material, such as to copy select pages for use in teaching or research. Permission is granted to quote brief passages from this publication in reviews, provided the customary acknowledgment of the source is given. Republication, systematic copying, or multiple reproduction of any material in this publication is permitted only under license from the American Mathematical Society. Requests for permission to reuse portions of AMS publication content are handled by the Copyright Clearance Center. For more information, please visit www.ams.org/publications/pubpermissions. Send requests for translation rights and licensed reprints to [email protected]. c 2022 by the American Mathematical Society. All rights reserved. The American Mathematical Society retains all rights except those granted to the United States Government. Printed in the United States of America. ∞ The paper used in this book is acid-free and falls within the guidelines
established to ensure permanence and durability. Visit the AMS home page at https://www.ams.org/ 10 9 8 7 6 5 4 3 2 1
27 26 25 24 23 22
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
Contents
Preface
vii
Numerical reconstruction of curves from their Jacobians ¨ u ¨ rku ¨ Ozl ¨m C Daniele Agostini, Tu ¸ elik, and Demir Eken
1
A strategy to optimize the complexity of Chudnovsky-type algorithms over the projective line St´ ephane Ballet, Alexis Bonnecaze, and Bastien Pacifico 13 On the constant D(q) defined by Homma Peter Beelen, Maria Montanucci, and Lara Vicino
33
How big is the image of the Galois representations attached to CM elliptic curves? Francesco Campagna and Riccardo Pengo
41
Multiradical isogenies Wouter Castryck and Thomas Decru
57
Arithmetic monodromy groups of dynamical Belyi maps ¨ Ozlem Ejder
91
Automorphisms and isogeny graphs of abelian varieties, with applications to the superspecial Richelot isogeny graph Enric Florit and Benjamin Smith 103 Frobenius structures on hypergeometric equations Kiran S. Kedlaya
133
The regulator dominates the rank Fabien Pazuki
159
Introducton to Drinfeld modules Bjorn Poonen
167
v Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
Preface The 18th edition of the AGC2 T conference (Arithmetic, Geometry, Cryptography, and Coding Theory), planned to take place at CIRM (Centre International de Rencontres Math´ematiques) in Marseille, France, as did the previous editions, finally went ahead online between May 31 and June 4, 2021. This workshop is part of a series dating back to 1987. Since then, these workshops have become a major event in the area of arithmetic geometry and its applications to cryptography and coding theory. The online setting allowed us to invite more participants than we would have otherwise been able to host at CIRM, and we thank all of the 130 participants for their active contributions during the week and afterwards, on the various online platforms that were used. Despite the unusual circumstances, we were very happy to still experience the stimulating and welcoming atmosphere that is typical for the AGC2 T community. We would like to especially thank the speakers — Jeroen Sijsling, Davide Lombardo, Angela Ortega, T¨ urk¨ u C ¸ elik, Nirvana Coppola, Leonardo Col`o, Luca Notarnicola, Sorina Ionia, Jean Kieffer, Tomoyoshi Ibukiyama, Stefano Marseglia, Ernst-Ulrich Gekeler, Chia-Fu Yu, Sergey Rybakov, Kate Stange, Monika Trimoska, Richard Griffon, Fabien Narbonne, Annamaria Iezzi, Joachim Rosenthal, Beth Malmskog, Pietro Speziali, Maria Chara, Luciane Quoos, Cec´ılia Salgado, Peter Beelen, Gunther Cornelissen, Kaloyan Slavov, Nathan Kaplan, Wei Ho, Gabor Wiese, Marco Streng, Tony Ezome, Francesco Campagna, Elisa Gorla, Sudhir Ghorpade, Marc Perret, Stefano Lia, and Elena Berardini — for their lectures. The conference centred around interactions between pure mathematics (in particular arithmetic and algebraic geometry) and information theory (especially cryptography and coding theory). The topics of the talks ranged from the study of relations between curves and their Jacobians to the study of endomorphism rings and isogeny graphs of supersingular elliptic curves and their applications to cryptography; and from classifying abelian varieties over finite fields to classifying different properties of convolutional, linear or algebraic codes. The editors are indebted to the staff of CIRM, and of the Institut de Math´ematiques de Marseille for their patience in dealing with constantly changing circumstances and their consistent help. We gratefully acknowledge the financial support of the local sponsors of the event (Aix-Marseille Universit´e, the Ville de Marseille, the FRUMAM, the Institut de Math´ematiques de Marseille, the Institut Archim`ede, the CNRS through the GDR JC2A, and the ANR project MELODIA ANR-20-CE40-0013), as well as the international funding bodies (the Foundation Compositio Matematica and the NWO). vii Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
viii
PREFACE
We would also like to thank Christine Thivierge at the American Mathematical Society for guiding us through the Contemporary Mathematics production process. And last but certainly not least, we are very grateful to the authors of the articles contained in this volume for their mathematical creativity and their kind cooperation in the editorial process.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
Contemporary Mathematics Volume 779, 2022 https://doi.org/10.1090/conm/779/15667
Numerical reconstruction of curves from their Jacobians ¨ um C Daniele Agostini, T¨ urk¨ u Ozl¨ ¸ elik, and Demir Eken Abstract. We approach the Torelli problem of reconstructing a curve from its Jacobian from a computational point of view. Following Dubrovin, we design machinery to solve this problem effectively, which builds on methods in numerical algebraic geometry. We verify this method via numerical experiments with curves up to genus 7.
1. Introduction The Torelli theorem is a classical and foundational result in algebraic geometry, stating that a Riemann surface, or smooth algebraic curve, C is uniquely determined by its Jacobian variety J(C). More concretely, the theorem says that a Riemann surface of genus g can be recovered from one Riemann matrix τ that represents its Jacobian. The key object is the Riemann theta function: (1.1) θ : Cg × Hg −→ C, θ(z, τ ) := exp πint τ n + 2πint z n∈Zg
where Hg is the Siegel upper-half space of g × g symmetric complex matrices with positive definite imaginary part. There are various proofs of Torelli’s theorem, which can be even made concrete in computational terms. Most proofs rely on the geometry of the theta divisor. This is the locus inside the Jacobian variety J(C) = Cg /(Zg + τ Zg ) which is cut out by the theta function: Θ = {z ∈ J(C) | θ(z, τ ) = 0}. For example, suppose that the Riemann surface C is not hyperelliptic, so that we can identify C with a canonical model C ⊆ Pg−1 . Then for any singular point 2 θ z ∈ Θsing of the theta divisor, the corresponding Hessian matrix ( ∂z∂i ∂z (z, τ )) j g−1 defines a quadric in the projective space space P . By a result of Green [11], such quadrics span the space of quadrics in the ideal of the curve. Hence, if the curve is not trigonal, or a smooth plane quintic, these quadrics generate the whole canonical ideal. This result has been extended by Kempf and Schreyer, which gave a way to recover the curve from a single singular point [13]. In particular, this 2020 Mathematics Subject Classification. Primary 14Q05; Secondary 14H42, 14H70. Key words and phrases. Algebraic curves, theta functions, Torelli theorem, Jacobian variety. The second author was supported by Turkish Scientific and Technological Research Council ¨ ITAK) ˙ ¨ ITAK ˙ (TUB – TUB 2236, project number 1119B362000396. c 2022 American Mathematical Society
1
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
2
DANIELE AGOSTINI ET AL.
gives a powerful effective reconstruction of the curve, provided that we are able to solve the system (1.2)
θ(z, τ ) =
∂θ ∂θ (z, τ ) = · · · = (z, τ ) = 0. ∂z1 ∂zg
This has been implemented numerically for curves of genus 4 in [7], but it is a rather hard task in general since the theta function is inherently transcendental. Moreover, this problem is also quite sensitive to the precision of the data: for example, if we move τ a bit, the corresponding theta divisor will not have singular points. There are various other proofs of the Torelli theorem, but many involve solving system of equations such as (1.2). Hence, we look for different, more algebraic methods. Such a strategy was proposed by Dubrovin [8], building on Krichever’s work [14] on algebraic curves and the Kadomtsev-Petviashvili (KP) equation: (1.3)
∂ (4ut − 6uux − uxxx ) = 3uyy . ∂x
More precisely, for each Riemann surface C of genus g there exists a threefold DC in a weighted projective space WP3g−1 parametrizing triples (U, V, W ) such that the function (1.4) u(x, y, t) = 2
∂2 log τ(x, y, t) + c, ∂x2
τ(x, y, z) := θ(U x + V y + W z + D, τ )
is a solution to the KP equation (1.3) for any D ∈ Cg and some c ∈ C. This threefold was called the Dubrovin threefold in [3] and it was studied there from a computational point of view. The important properties of this object for our point of view are two: first, DC is cut out by some explicit equations whose coefficient are derivatives of theta functions (with characteristic) evaluated at zero. These can be computed explicitly with software for the evaluation of the theta functions, such as Theta.jl in Julia [1]. Second, the projection of DC onto the projective space of the coordinates u1 , . . . , ug consists exactly of the canonical model for the Pg−1 U curve C ⊆ Pg−1 U . Hence, equations for the canonical model of C can be obtained by eliminating the variables V, W from the equations of the Dubrovin threefold DC , a purely algebraic process. In conclusion, this allows recovering the curve from the Riemann matrix τ without having to solve a transcendental system such as (1.2). In this note, we explain how to implement this strategy effectively, using the methods of numerical algebraic geometry. In Section 2, we explain the background behind the Dubrovin threefold and we state the key Lemma 2.1, which explains how to recover equations for the curve. In particular, this allows us to recover quartic equations, but we discuss also the case of quadrics and cubics. Furthermore, we also comment on applications of these methods to the classical Schottky problem. In Section 3 we state the algorithm and analyze its complexity. Moreover, even if our focus is on methods that avoid finding singular points of the theta divisor, the latter can be very useful when we are able to solve the transcendental system (1.2), and we comment on this in Section 3.1. We conclude by presenting numerical experiments with curves from genera from 3 to 7, which we carried out with the packages RiemannSurfaces in Sage and Theta.jl and Homotopycontinuation.jl in Julia.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
NUMERICAL RECONSTRUCTION OF CURVES
3
2. The Dubrovin threefold We start by recalling some background on the Dubrovin threefold, following [3, 8]. Let C be a smooth projective algebraic curve, or compact Riemann surface, of genus g. We fix a symplectic basis a1 , b1 , . . . , ag , bg for the first homology group H1 (C, Z) and we choose a normalized basis ω1 , ω2 , . . . , ωg of holomorphic differentials, meaning that ωj = δij . (2.1) ai
The corresponding Riemann matrix τ ∈ Hg is defined as (2.2) τ= ωj . bi
1≤i,j≤g
One can see that the function (1.4) is a solution to the KP equation (1.3) for all values of D ∈ Cg and a certain value of c ∈ C if and only if there exists d ∈ C such that the following quartic PDE, known as the Hirota bilinear equation, is satisfied: (2.3) (τxxxx τ−4τxxx τx +3τ2xx )+4(τx τt − ττxt )+6c (τxx τ − τ2x )+3(ττyy −τ2y )+8dτ2 = 0. We now introduce a weighted projective space WP3g+1 with variables (U, V, W, c, d) where the U = (u1 , . . . , ug ) have degree 1, the V = (v1 , . . . , vg ) have degree 2, the W = (w1 , . . . , wg ) have degree 3 and finally c, d have degree 2 and 4 respectively. big parametrizes all elements (U, V, W, c, d), with U = The big Dubrovin threefold DC 0, such that τ(x, y, z) in (1.4) is a solution to the Hirota bilinear equation (2.3) for all D ∈ Cg . The projection of this variety to the space WP3g−1 of the (U, V, W ) is called simply the Dubrovin threefold DC . big Equations for DC can be obtained directly from (2.3) as follows. Given any g z in C , we write the Riemann theta function as θ(z) = θ(z, τ ). Then we consider the differential operator ∂U := u1 ∂z∂ 1 + · · · + ug ∂z∂g , and the analogous operators ∂V , ∂W . For any fixed vector z ∈ Cg , the Hirota quartic Hz is defined as: 4 (2.4) ∂U θ(z) · θ(z) − 4∂U3 θ(z) · ∂U θ(z) + 3{∂U2 θ(z)}2 + 4 · (∂U θ(z) · ∂W θ(z) − θ(z) · ∂U ∂W θ(z)) + 6c · ∂U2 θ(z) · θ(z) − {∂U θ(z)}2 + 3 · θ(z) · ∂V2 θ(z) − {∂V θ(z)}2 + 8d · θ(z)2 . This is exactly the expression obtained by combining (2.3) and (1.3), hence the big big Dubrovin threefold DC is cut out by the Hirota quartics Hz , as z runs over g all vectors in C , see [3, Proposition 4.2]. The coefficients Hz (U, V, W, c, d) are the values of the theta function θ and its partial derivatives of certain order at z and they can be computed using numerical software for evaluating theta functions and their derivatives. We use the Julia package that is introduced in [1]. This yields an infinite number of equations that vanish on the big Dubrovin threefold. A finite set of equations can be derived for the threefold via the addition formula [8, §VI.1] theta functions with characteristics ε, δ ∈ {0, 1}g :
ε T ε T
ε
δ ε + n+ (2.5) θ (z | τ ) = exp πi n + τ n+ z+ . δ 2 2 2 2 g n∈Z
This function in (2.5) coincides with the Riemann theta function (1.1) for ε = δ = 0 and in general it differs from it by an exponential factor. We consider the following
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
4
DANIELE AGOSTINI ET AL.
function
ε ˆ := θ θ[ε](z) (z | 2τ ). 0
(2.6)
ˆ For fixed τ , these complex numbers θ[ε](0) at z = 0 are called theta constants. We use the term theta constant also for evaluations at z = 0 of derivatives of (2.6). With these conventions, we define the Dubrovin quartic in (U, V, W, c, d) associated to the half-characteristic ε as: (2.7) 3 2ˆ 3 2ˆ ˆ ˆ ˆ F [ε](U, V, W, c, d) := ∂U4 θ[ε](0)−∂ U ∂W θ[ε](0)+ c∂U θ[ε](0)+ ∂V θ[ε](0)+dθ[ε](0). 2 4 The Dubrovin and the Hirota quartics span the same vector subspace of the complex vector space of homogeneous polynomials of degree 4 as shown in [3, Proposition big 4.3], hence they also provide defining equations for DC . We note that the proof of [3, Proposition 4.3] relies on Riemann’s Addition Formula, and that’s where the argument 2τ in (2.6) comes from. We come to the crucial point: the projection of the big Dubrovin threefold onto coincides exactly with the canonical model of the the projective space Pg−1 = Pg−1 U curve C induced by the basis of holomorphic differentials of (2.1): C −→ Pg−1 U ,
(2.8)
p → [ω1 (p), ω2 (p), . . . , ωg (p)] .
In particular, if the curve C is not hyperelliptic, the canonical model is isomorphic to the curve C itself. In algebraic terms, this means that the canonical model of (2.8) can be recovered by eliminating the variables V, W, c, d from the equations of the big Dubrovin threefold. This is reduced to a problem of linear algebra as follows: for any half-characteristic ε ∈ {0, 1}g write Q[ε] for the Hessian matrix of ˆ the function θ[ε](z) at z = 0, then combining [3, Lemma 4.6] and [3, Proposition 4.7] we have: Lemma 2.1. Suppose that C is a curve given by way of its Riemann matrix τ . Let us denote by Vτ ⊆ C[u1 , . . . , ug ] the vector space of linear combinations ˆ (2.9) λε · ∂U4 θ[ε], ε∈{0,1}g g
where the 2 complex scalars λε satisfy the linear equations ˆ = 0. λε · Q[ε] = 0 and λε · θ[ε] (2.10) ε
ε
Then a linear combination of the Dubrovin quartics is independent of c, d if and only if it belongs to Vτ . Furthermore, Vτ has dimension 2g − g(g+1) − 1 and the 2 corresponding quartics (2.9) cut out the canonical model (2.8) of the curve C. Hence, if the curve C is not hyperelliptic, this lemma gives a way to recover the curve from the Riemann matrix τ , which depends only on the evaluation of the theta function and its derivatives. 2.1. Recovering quadrics and cubics. Lemma 2.1 allows us to recover a linear space of quartics that cut out a canonical model of C. However, it is also possible to recover quadric equations. We start with the following basic observation: if in the space Vτ we can find a quartic of the form Q(U )2 , then Q is a quadric containing the curve C. We can actually find such special quartics inside Vτ : indeed,
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
NUMERICAL RECONSTRUCTION OF CURVES
5
suppose that z0 ∈ Cg is a singular point of the theta divisor Θ. Then the Hirota quartic Hz0 becomes: (2.11)
2 Hz0 = 3 ∂U2 θ(z0 )
and since this is independent of c, d, Lemma 2.1 tells us that (∂U2 θ(z0 ))2 ∈ Vτ . Furthermore, we know by Green’s result mentioned in the introduction, that the quadrics ∂U2 θ(z0 ) appearing in (2.11) span the whole vector space of quadrics in the ideal of the canonical curve. Hence, if C is not hyperelliptic, trigonal, or a smooth plane quintic, such quadrics generate the canonical ideal of the curve. We again point out that, at least in principle, such quadrics can be computed by algebraic and not transcendental methods. Indeed, this corresponds to intersecting the space Vτ with the subvariety in C[U ]4 given by quartics of the form Q2 , so it amounts to solving a polynomial system of equations in the space Vτ . We discuss briefly also the case of cubics, which can appear if the curve is trigonal or a smooth plane quintic. In general, if z0 ∈ Θ is a singular point in the theta divisor, the cubic equation ∂U3 θ(z0 ) belongs to the canonical ideal of the curve [13]. If we apply the operator ∂U to the Hirota quartic Hz and we evaluate it at z = z0 , we obtain the quintic equation (2.12)
∂U Hz|z=z0 = 2(∂U2 θ(z0 ))(∂U3 θ(z0 )).
The quintic (2.12) is a linear combination of the quintics ui · F [ε], for i = 1, . . . , g and ε ∈ {0, 1}g , so in principle we could try to proceed as for quadrics, and look for reducible quintics of the form Q(U ) · T (U ), where deg Q(U ) = 2 and deg T (U ) = 3.
2.2. Applications to the Schottky problem. Up to now we have discussed the Torelli problem of reconstructing a smooth curve C from a Riemann matrix τ of its Jacobian J(C). Another fundamental question in this area is the Schottky problem [12], which asks, given a matrix τ ∈ Hg , whether this represents the Jacobian of a curve. This can be formulated in different ways with different possible solutions: see for example [9] for a very recent one. In particular, one of these was given by Krichever [14] and Shiota [15] via the KP equation. This solution can be formulated in terms of the Dubrovin threefold [8, Section IV.4] by saying that τ ∈ Hg represents a Jacobian if and only if the Dubrovin quartics (2.7) cut out a threefold. In particular, we can check that a matrix τ ∈ Hg does not represent a Jacobian, by computing the quartics of Lemma 2.1 and then checking that they do not define a curve in Pg−1 . We verified this experimentally in Example 3.6.
3. Numerical recovery We can sum up the discussion of the previous section in the following algorithm. We have implemented it in Julia, which can be found at https://turkuozlum. wixsite.com/tocj.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
6
DANIELE AGOSTINI ET AL.
Algorithm 1: Recovery through the Dubrovin threefold Input: A matrix τ ∈ Hg representing the Jacobian of a non-hyperelliptic curve. Output: Quartics that cut out the canonical model of the algebraic curve C whose Riemann matrix is τ . Step 1: Set up the linear system in (2.10) by computing the theta constants via the Julia package Theta.jl. Step 2: Solve the linear system in (2.10). Step 3: Write the quartics (2.9) and return them. The algorithm is straightforward and we can easily analyze its complexity in terms of the genus g. In Step 1, we need to evaluate 2g · (g(g + 1)/2 + 1) theta ˆ constants, coming from the matrices Q[ε] and the scalars θ[ε]. Then, in Step 2, we need to solve a (g(g + 1)/2 + 1) × 2g linear system of maximal rank. Finally, in Step 3, we need to compute the quartics (2.9), which involves the evaluation of 2g · (g + 3)(g + 2)(g + 1)g/24 theta constants. In our experiments, we considered examples, taken from the literature, up to genus 7, so that the linear system of Step 2 is of relatively small size and can be solved very quickly in Julia. What takes most of the time is the evaluation of the theta constants: the following table presents the approximated times to compute the theta constants in the examples below, with 12 digits of precision. In the table, ∂ i indicates the order of the partial derivative of θ that we compute. The last column denotes the time needed to run the entire algorithm. genus 3 4 5 6 7
∂0 0.0009 sec 0.008 sec 0.07 sec 2.1 sec 6 sec
∂2 0.001 sec 0.015 sec 0.15 sec 4.2 sec 8 sec
∂4 0.002 sec 0.02 sec 0.23 sec 6.9 sec 10 sec
total 5 sec 11 sec 9 min 12 h 60 h
3.1. Computing the singular points. As we explained before, one of the advantages of the Dubrovin threefold is that it allows us to recover the curve without computing a singular point of the theta divisor. However, this is also a very useful method, if we manage to solve the transcendental system (1.2). A Sage code that computes a singular point of the theta divisor in genus 4 is presented in the article [7]. The idea, that can be extended to any genus, is to solve system (1.2) by numerical optimization, starting from a random input z = a + τ b, where a, b are real vectors with entries between 0 and 1. In our implementation, we use the function optimize.root from the SciPy package. We call this function with the method lm, based on the Levenberg-Marquardt algorithm, which speeds up the computation substantially in comparison with the hybr method. The function optimize.root evaluates the partial derivatives (1.2) of the given function via estimating the limits of the function. Instead, we used the partial derivatives that is implemented in the Sage package abelfunctions [6], which gave more accurate results. In our experiments, it took about 30 minutes for one singular point to be computed in the case of genus 4 and about 1.5 hours in the case of genus 5. Remark 3.1. Before presenting our experiments, we observe that it is often convenient to work with an arbitrary basis of differentials instead of a normalized
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
NUMERICAL RECONSTRUCTION OF CURVES
7
one as in (2.1). For such an arbitrary basis ω 1 , . . . , ω g , we consider the corresponding g × g period matrices
ω i and Πb = ω i . (3.1) Πa = aj
bj
ij
ij
Then we obtain a normalized basis of differentials as in (2.1) and the corresponding Riemann matrix by taking (3.2)
ω1 , ω 2 , . . . , ω g )T . (ω1 , ω2 , . . . , ωg )T = Π−1 a (
(3.3)
τ = Π−1 a Πb .
3.2. Numerical experiments. Finally, we present some examples illustrating our algorithm. In our experiments, we start with an explicit plane affine model for a nonhyperelliptic curve and possibly also its canonical model C ⊆ Pg−1 , and then we use the package RiemannSurface of Sage [5] to compute a Riemann matrix τ on which we run the Algorithm 1. We then verify that the resulting quartics cut out the canonical curve we started with. We can do this explicitly in genus 3, when the curve itself is a smooth plane quartic. In higher genera, we first verify that the quartics belong to the ideal of the curve by running the polynomial division algorithm, which returns a remainder of zero, up to a certain numerical approximation. Furthermore, to verify that the quartics cut out the curve set-theoretically, we compute the intersection with a hyperplane in Pg−1 by adding a random linear form and solving the resulting polynomial system via homotopy continuation. This is the primary computational method in numerical algebraic geometry, and we used the Julia implementation of HomotopyContinuation.jl [4]. This computation returns 2g−2 solutions, confirming that the quartics cut out a curve of degree 2g − 2. We also tried to recover the quadrics vanishing on the curve using the method of Section 2.1. We set up the problem of finding elements of the form Q(U )2 in the space of quartics returned by Algorithm 1, and we solved it again via HomotopyContinuation.jl. We could do this in genus 4. In genera 4 and 5, we could also compute singular points of the theta divisor, using the methods of Section 3.1. With these singular points, we could compute quadric and cubic equations for the curve, as described in Section 2.1. Example 3.2 (Genus three). The Trott curve is a smooth plane quartic with affine model C = {f (x, y) = 0}, where f (x, y) = 122 (x4 + y 4 ) − 152 (x2 + y 2 ) + 350x2 y 2 + 81. In particular, this is already the canonical model, and the curve is of genus 3 and not hyperelliptic. We compute a Riemann matrix using RiemannSurface in Sage [5]: in particular, the package uses the basis of differentials: 1 x y 2 = dx, ω 3 = dx, ω 1 = dx, ω fy fy fy where fy denotes the derivative ∂f ∂y , and then it computes the period matrices Πa and Πb as in (3.1). The entries of the corresponding symmetric normalized Riemann matrix τ := (τij ) are as follows: τ11 = 1.06848368471179 + 0.723452867814272i, τ12 = −0.305886633614305 + 0.123618182281837i, τ13 − 0.160517941389541 − 0.206682546926085i, τ22 = 0.776859918461210 + 1.25292663517205i, τ23 = −0.626922516393387 − 0.289746911570334i, τ33 = 0.376235735801471 + 0.484440302728207i.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
8
DANIELE AGOSTINI ET AL.
With this matrix, we set the linear system (2.10) by computing the theta constants appearing in the expressions of the system [1]. As expected, this has a unique solution, up to scalar multiplication, and we compute the corresponding quartic polynomial (2.9): 3 (0.44055338231573327 − 0.11712521895532513i)u4 1 + (2.094882287195226 + 7.879664904010854i)u1 u2 2 2 − (5.316458517368645 − 1.4134300016965646i)u3 1 u3 + (61.49338091003442 − 16.348587918073555i)u1 u2 2 2 + (27.505923029039046 + 105.6412469122926i)u2 1 u2 u3 − (43.67750279381081 − 12.658628276584892i)u1 u3 2 − (0.20611709900405373 + 0.7752863638524854i)u1 u3 2 + (142.137577271911 + 22.777083502115772i)u1 u2 u3 3 + (101.16905240593528 + 146.6228999954985i)u1 u2 u2 3 − (28.214458865117336 − 92.58798535078905i)u1 u3 3 −(0.06519271764094459 − 0.017332091034810038i)u4 2 − (0.016856400506870983 + 0.8256030828721883i)u2 u3 2 3 + (64.66553470742735 + 38.49587006148285i)u2 2 u3 + (94.88897578016996 + 81.18194430047456i)u2 u3 + (33.080420780163195 + 41.521570514217885i)u4 3.
At a first glance, this might not look like the Trott curve. However, this equation is for the canonical model of C with respect to a basis of normalized differentials 1 , ω 2 , ω 3 via the change of coordinates ω1 , ω2 , ω3 . If we go back to the differentials ω in (3.2), we obtain the following quartic, after scaling the coefficients. 81u41 + (1.2223597321441586 · 10−13 − 9.454838005323456 · 10−14 i)u31 u2 +(2.9124976279639876 · 10−13 + 1.1282283371974781 · 10−13 i)u31 u3 −(225.00000000000017 − 4.607401108070593 · 10−13 i)u21 u22 +(3.669767553538813 · 10−13 − 3.017230893609506 · 10−13 i)u21 u2 u3 −(224.99999999999986 + 5.357443148919295 · 10−13 i)u21 u23 f j − (4.1371303331328177 · 10−13 − 3.5463573271644895 · 10−13 i)u1 u32 −(8.382029113614384 · 10−13 + 3.97078497125283 · 10−13 i)u1 u22 u3 +(7.725484571929981 · 10−13 + 2.34428275709395 · 10−13 i)u1 u2 u23 −(8.239810406206657 · 10−13 + 2.6625152861265 · 10−13 i)u1 u33 +(143.99999999999918 − 7.607569271465399 · 10−13 i)u42 −(9.177234341211958 · 10−13 − 8.304604428951876 · 10−13 i)u32 u3 +(350.0000000000026 + 1.2750714694427922 · 10−12 i)u22 u23 −(1.3400119435300388 · 10−13 − 5.996042934502803 · 10−13 i)u2 u33 +(143.99999999999895 − 5.357443148919295 · 10−14 i)u43 . This is nothing but the quartic defining the Trott curve, up to an error of 10−12 . In particular, we can recover the exact equation if we round up the coefficients to the nearest integer. We emphasize that this example is treated slightly different than as it has been in [3, Example 4.8]. Indeed, in [3, Example 4.8] we obtained an numerical equation of the curve via the method presented in this paper, and then we checked that the Dixmier-Ohno invariants of the new curve agreed with the invariants of the Trott curve up to numerical round-off. Here, instead, we could recover an approximate equation of the original Trott curve. Inspired by this example, we repeated the same experiments with 20 plane quartics with integer coefficients. The coefficients were bounded in absolute value by 100. We computed the period and the Riemann matrix with 53 bits of precision, we computed the theta constants with 12 digits of precision, and at the end we could recover the exact equation of the curve by rounding up the coefficients to the closest integer. Each experiment took approximately 4 seconds. Example 3.3 (Genus four). Moving on to the case of genus 4, we consider the canonical curve (3.4) C = u1 u4 − u2 u3 = 0 , u31 − u32 − u33 − u34 = 0 .
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
NUMERICAL RECONSTRUCTION OF CURVES
9
This has an affine plane model given by {f (x, y) = 0}, where f (x, y) = 1 − x3 − y 3 − x3 y 3 . We can recover the previous canonical model via the basis of differentials 1 x y xy 2 = − dx, ω 3 = − dx, ω 4 = − dx. ω 1 = − dx, ω fy fy fy fy We can compute the 4 × 4 Riemann matrix τ via the plane model of the curve with the Sage package [5]. This takes approximately 677 milliseconds for 53 bits, or about 16 digits, of precision. To reconstruct the canonical model of the curve back from τ , we compute the 5 quartics in (2.9) by solving the linear system in (2.10). By Lemma 2.1, these 5 quartics cut out the canonical curve (3.4) after the basis change (3.2). We can first verify that the transformed quartics belong to the ideal of C by the polynomial division algorithm. We did it in Sage, working over the complex field with 200 digits of precision. The coefficients of the remainder of the division algorithm were all of size 10−15 . Then, to verify that these quartic equations cut out the curve, we use the Julia package HomotopyContinuation.jl [4]. We add a random linear form to the polynomial system of our 5 quartics and then HomotopyContinuation.jl returns 6 solutions, which is what we expect from a curve of degree 6 in P3 . Moreover, again via homotopy continuation methods, we can find a quadratic polynomial Q(U ) such that Q(U )2 is in the linear space generated by the 5 quartics, as in Section 2.1. After applying the change of basis in (2.1) and rescaling we get the following expression for the quadric: u1 u4 − (1.4829350744889013 · 10−15 − 1.6682847904065378 · 10−15 i)u1 u2 −(3.5425309660018567 · 10−15 + 6.403641669846521 · 10−16 i) +u1 u3 (2.3679052278901118 · 10−15 + 1.6728691462607347 · 10−15 i)u21 +(1.8423363133604865 · 10−15 − 3.1265312370929112 · 10−15 i)u22 −(1.0000000000000007 − 2.3672426468663847 · 10−15 i)u2 u3 −(1.739413822171687 · 10−15 − 2.775912191360744 · 10−15 i)u2 u4 +(3.3764916290020825 · 10−15 − 6.001818720458345 · 10−15 i)u23 −(3.777550457759975 · 10−16 − 1.4453231221486755 · 10−15 i)u3 u4 −(1.1268542006403671 · 10−15 + 1.7990461567600933 · 10−15 i)u24 . In genus four, we can also compute numerically a singular point of the theta divisor. We do it in Sage, as described in Section 3.1 and we find the point: z0 = (0.75 + 0.54819629i, 0.75 − 0.54819629i, 0.5 + 0.33618324i, 0.75 + 0.2120130i). The theta function and its derivatives vanish at this point up to 13 digits. With this, we can compute the quadric ∂U2 θ(z0 ) and the cubic ∂U3 θ(z0 ). After the usual change of coordinates (3.2), the quadric becomes u1 u4 + (9.977112210552615 · 10−8 + 6.939529950175681 · 10−8 i)u21 +(6.74409346713264 · 10−8 − 2.3021247380555947 · 10−15 i)u1 u2 −(2.3274471968848503 · 10−8 + 5.037739720772648 · 10−8 i)u1 u3 +(9.977111730319195 · 10−8 − 6.93953067335553 · 10−8 i)u22 −(0.9999999999999997 − 5.892639748496844 · 10−8 i)u2 u3 +(2.3274465793326793 · 10−8 − 5.037739901039536 · 10−8 i)u2 u4 +(3.9887820808350887 · 10−8 + 2.7942580923377634 · 10−8 i)u23 +(1.3142269019133975 · 10−7 − 6.865574771844027 · 10−15 i)u3 u4 +(3.988781716962214 · 10−8 − 2.7942586271411155 · 10−8 i)u24 ,
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
10
DANIELE AGOSTINI ET AL.
which coincides with the quadric u1 u4 − u2 u3 of (3.4), up to about 10 digits of precision. The cubic equation that we obtain is: −11 u3 i)u3 1 − (1.0000000001244782 + 4.8426070737375934 · 10 2 −(1.0000000001244924 + 4.8417923378918607 · 10−11 i)u3 3 −11 3 −(1.0000000002161082 + 3.561043256396786 · 10 i)u4 +(4.5851667064228973 · 10−11 + 3.883459414267029 · 10−11 i)u2 1 u2 −11 −11 −(5.655054824682744 · 10 − 2.0264603303086512 · 10 i)u2 1 u3 −11 −10 −(4.562873576948296 · 10 + 1.0723355355290677 · 10 i)u1 u2 2 −11 −11 2 +(4.416105308034146 · 10 + 6.485802277816666 · 10 i)u2 u4 −11 −11 −(2.4095153783271284 · 10 − 3.821774264257014 · 10 i)u2 u2 4 −(2.1061545135963428 · 10−11 + 3.9985852337772294 · 10−11 i)u3 u2 4 −11 −11 2 +(3.407561378730717 · 10 − 7.066441338212726 · 10 i)u3 u4 −(7.006134562951018 · 10−11 − 9.313087455058934 · 10−11 i)u1 u2 3 +(5.3419725864118215 − 2.3068027651869776i)u2 1 u4 − (5.341972586241411 − 2.3068027651197216i)u1 u2 u3 −(0.861775203997493 − 1.4926384376919832i)u1 u2 u4 + (0.8617752039804856 − 1.492638437827363i)u2 2 u3 −(0.8617752037076406 + 1.4926384378593538i)u1 u3 u4 + (0.8617752038333869 + 1.4926384379123137i)u2 u2 3 −(2.396786904582313 − 2.79440847281551i)u1 u2 4 + (2.3967869046516648 − 2.794408472851858i)u2 u3 u4 .
And we see that, with an approximation of 9 digits, this is the cubic u31 −u32 −u33 −u34 of (3.4), plus a linear combination of ui (u1 u4 − u2 u3 ), for i = 1, 2, 3, 4. Example 3.4. Let C be the genus 5 curve with an affine plane equation given by the polynomial f (x, y) = x2 y 4 + x4 + x + 3. The differentials f1y dx, fxy dx, xy xy 2 x2 fy dx, fy dx, fy dx
form a basis of the space of holomorphic differentials. The corresponding canonical model is given by the complete intersection of the three quadrics: (3.5)
u24 + u25 + u2 u1 + 3u21 ,
u23 − u2 u4 ,
u22 − u5 u1 .
We compute the sixteen Dubrovin quartics (2.9) and we check that, after the change of coordinates (3.2), they belong to the ideal of C. We do this by polynomial division in Sage, over the complex field with 200 digits of precision as in Example 3.3. The coefficients of the remainder are of size 10−10 . We also check whether the quartics define a curve by adding a random linear form and solving the corresponding system via HomotopyContinuation.jl. We obtain 8 solutions, which is nothing but the degree of our canonical genus 5 curve. Here, one needs to increase the precision to about 15 digits while computing the Riemann matrix, which is required for computing the Dubrovin quartics. In this example, we could compute also singular points of the theta divisor as explained in Section 3.1. We computed three points z1 , z2 , z3 where the theta function and all its derivative vanish up to an error of 10−10 . Then we obtain three quadrics ∂U2 θ(z1 ), ∂U2 θ(z2 ), ∂U2 θ(z3 ), which, after the usual change of variables (3.2), can be expressed as three independent linear combinations of the quadrics in (3.5), again up to an error of 10−10 . In the following examples, we push experimenting our methods to higher genera. Example 3.5 (Genus 6 and 7). Here we choose the curves of genus 6 and 7 known as Wiman’s sextic [16] and the butterfly curve [10]. Their respective plane affine equations are: x6 + y 6 + 1 + (x2 + y 2 + 1)(x4 + y 4 + 1) = 12x2 y 2 , x6 + y 6 = x2 . We first compute their Riemann matrices numerically in Sage. Then, we estimate the corresponding 42 and 99 quartics (2.9) in P5 and P6 respectively. Using the homotopy continuation method in Julia, we could verify that they define curves
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
NUMERICAL RECONSTRUCTION OF CURVES
11
of degree 10 and 12 as expected. We point out that in these cases we needed to increase the precision in the Riemann matrix computation: 200 bits of precision in genus 6 and 500 bits in genus 7 were enough for the homotopy continuation computation to terminate. Example 3.6. Finally, we discuss some numerical experiments related to the Schottky problem, as in Section 2.2. We choose 100 random Riemann matrices in genus 4, we computed the corresponding quartics as in Lemma 2.1, we added a random linear form and we solved numerically the resulting system via Homotopycontinuation.jl. As expected, we found no solutions, confirming the fact that the quartics do not cut out a curve in P3 . We expect that this circle of ideas would lead to an effective numerical solution to the Schottky problem, and we will investigate this in future work. Acknowledgments We would like to thank Nils Bruin, Bernard Deconinck, Bernd Sturmfels and Andr´e Uschmajew for their useful comments and their support. We would also like to thank the anonymous referees for their careful reading and for their remarks. References [1] Daniele Agostini and Lynn Chua, Computing theta functions with Julia, J. Softw. Algebra Geom. 11 (2021), no. 1, 41–51, DOI 10.2140/jsag.2021.11.41. MR4285763 [2] Daniele Agostini and Lynn Chua, On the Schottky problem for genus-five Jacobians with a vanishing theta-null, Ann. Sc. Norm. Super. Pisa Cl. Sci. (5) 22 (2021), no. 1, 333–350. MR4288659 ¨ um C [3] Daniele Agostini, T¨ urk¨ u Ozl¨ ¸ elik, and Bernd Sturmfels, The Dubrovin threefold of an algebraic curve, Nonlinearity 34 (2021), no. 6, 3783–3812, DOI 10.1088/1361-6544/abf08c. MR4281432 [4] P. Breiding, S. Timme, HomotopyContinuation.jl: A Package for Homotopy Continuation in Julia, Mathematical Software – ICMS 2018, Lecture Notes in Computer Science, Springer, Cham 10931 (2018), 458–465. [5] Nils Bruin, Jeroen Sijsling, and Alexandre Zotine, Numerical computation of endomorphism rings of Jacobians, Proceedings of the Thirteenth Algorithmic Number Theory Symposium, Open Book Ser., vol. 2, Math. Sci. Publ., Berkeley, CA, 2019, pp. 155–171. MR3952010 [6] C. Swierczewski et al.:, Abelfunctions: A library for computing with Abelian functions, Riemann surfaces, and algebraic curves, github.com/abelfunctions/abelfunctions, 2016. [7] Lynn Chua, Mario Kummer, and Bernd Sturmfels, Schottky algorithms: classical meets tropical, Math. Comp. 88 (2019), no. 319, 2541–2558, DOI 10.1090/mcom/3406. MR3957905 [8] B. A. Dubrovin, Theta-functions and nonlinear equations (Russian), Uspekhi Mat. Nauk 36 (1981), no. 2(218), 11–80. With an appendix by I. M. Krichever. MR616797 [9] Hershel M. Farkas, Samuel Grushevsky, and Riccardo Salvati Manni, An explicit solution to the weak Schottky problem, Algebr. Geom. 8 (2021), no. 3, 358–373, DOI 10.14231/ag-2021009. MR4206440 [10] H. T. Fay, The Butterfly Curve, American Mathematical Monthly 96 5 (1989), 442–443. [11] M. L. Green, Quadrics of rank four in the ideal of a canonical curve, Invent. Math. 75 (1984), no. 1, 85–104, DOI 10.1007/BF01403092. MR728141 [12] Samuel Grushevsky, The Schottky problem, Current developments in algebraic geometry, Math. Sci. Res. Inst. Publ., vol. 59, Cambridge Univ. Press, Cambridge, 2012, pp. 129–164. MR2931868 [13] George R. Kempf and Frank-Olaf Schreyer, A Torelli theorem for osculating cones to the theta divisor, Compositio Math. 67 (1988), no. 3, 343–353. MR959216 [14] I. M. Krichever, Methods of algebraic geometry in the theory of non-linear equations, Russian Mathematical Surveys 32 (1977), 185–213.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
12
DANIELE AGOSTINI ET AL.
[15] Takahiro Shiota, Characterization of Jacobian varieties in terms of soliton equations, Invent. Math. 83 (1986), no. 2, 333–382, DOI 10.1007/BF01388967. MR818357 [16] A. Wiman, Zur Theorie der endlichen Gruppen von birationalen Transformationen in der Ebene (German), Math. Ann. 48 (1896), no. 1-2, 195–240, DOI 10.1007/BF01446342. MR1510931 ¨r Mathematik in den Naturwissenschaften, Inselstraße 22, Max-Planck-Institut fu 04103 Leipzig, Germany Email address: [email protected] ˙ ˘ azic Department of Mathematics, Bog ¸ i University, 34342 Bebek, Istanbul, Turkey Email address: [email protected] Department of Mathematics, Bilkent University, 06800 Bilkent, Ankara, Turkey Email address: [email protected]
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
Contemporary Mathematics Volume 779, 2022 https://doi.org/10.1090/conm/779/15668
A strategy to optimize the complexity of Chudnovsky-type algorithms over the projective line St´ephane Ballet, Alexis Bonnecaze, and Bastien Pacifico Abstract. Chudnovsky-type algorithms of multiplication in finite fields are well known for their good bilinear complexity. Recently, two advances have been obtained in the study of these algorithms: a strategy to optimize the scalar complexity of the original algorithm and the development of a generic recursive construction over the projective line. The construction of recursive Chudnodvsky-type algorithms over the projective line makes possible an efficient generic strategy to optimize their complexity (number of scalar and bilinear multiplications and additions in the base field). Then, several examples are given. In particular, considering Baum-Shokrollahi’s experiment (1992), this constructive method provides a Chudnovsky-type algorithm of multiplication in F256 /F4 with the best known complexity, while being much more efficient than existing optimization methods.
1. Introduction The search for finite field multiplication algorithms with good algebraic complexity (cf. [BCS97]) is still a major issue in algorithmics and in cryptography. In this paper, we are interested in the number of arithmetic operations in the base field when multiplying in an extension of finite degree of a finite field. Several more general remarkable methods are known (for example [Kar63], [F¨ u09], and [SS71]) and can be used to address this problem. Recently, Harvey and van der Hoeven [HvdH19] have proven that such a multiplication can be computed with O(n log n) operations (when q is fixed), assuming a widely-believed hypothesis. Similarly to the latter, many works focus on multiplication algorithms with efficient asymptotic complexities, giving estimations of the total number of operations in the base field relatively to the degree of the extension using the O notations. But these methods may not be optimal at finite distance (i.e. not from the point of view of asymptotic complexity), in particular for moderate-sized parameters (around a few thousands of bits). For example, Sch¨ onhage-Strassen’s algorithm [SS71] has a better asymptotic complexity than Karatsuba’s algorithm [Kar63], but outperforms the latter method only when the parameters become huge (around millions of bits), exceeding many usage sizes. As for the F¨ urer algorithm [F¨ u09], it is competitive for even larger numbers. Moreover, it is well known that different operations do not have the same cost in terms of bit operations. In particular, multiplication is more expensive than addition and bilinear multiplication is itself more expensive Key words and phrases. Multiplicative complexity, finite fields, Chudnovsky-type algorithms. c 2022 American Mathematical Society
13
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
´ STEPHANE BALLET ET AL.
14
than scalar multiplication ([STV92], [BCP+ 21] Section 1). We therefore choose to consider the algebraic complexity model while taking into account the different costs of these operations. To do so, we consider the multiplication method of D.V. and G.V. Chudnovsky [CC88] which admits the best bilinear complexity, both in finite distance and in asymptotics. We propose a strategy for the construction of this method in order to optimize the number of scalar multiplications and the number of additions while keeping the same bilinear complexity. Our goal is to be able to obtain in practice, i.e. at finite distance, a total complexity competitive with the best algorithms. It should also be noted that determining the asymptotic complexity of our method remains an open problem. Let q be a prime power, Fq the finite field with q elements and Fqn the degree Let B = {e1 , . . . , en } be a basis of Fqn over Fq then for x = n extension of Fq . n n x e and y = i=1 i i j=1 yj ej , the direct calculation of the product is given by n n n (1) z = xy = zh eh = tijh xi yj eh , n
h=1
h=1
i,j=1
where ei ej = h=1 tijh eh , tijh ∈ Fq being some constants. One can distinguish two types of multiplications in this product: the bilinear ones, that are depending of the two elements being multiplied (i.e. the xi yj ); and the scalar ones that are multiplications by a constant in Fq . At first glance, the latest computation requires n2 bilinear multiplications, n3 scalar multiplications and n3 − n additions. Definition 1.1. Let Uq,n be an algorithm for the multiplication in Fqn over Fq . • The number of non-trivial scalar multiplications in Fq (i.e. multiplications by α ∈ Fq with α = 0, 1), used in Uq,n is called its scalar complexity, and is denoted by μs (Uq,n ). • The number of bilinear multiplications in Fq used in Uq,n is called its bilinear complexity, denoted by μb (Uq,n ). We also denote by a(Uq,n ) the number of additions in Fq in the algorithm. Consequently, the total complexity of Uq,n , denoted by μ(Uq,n ) is given by μ(Uq,n ) = μb (Uq,n ) + μs (Uq,n ) + a(Uq,n ). Note that bilinear multiplications are known to be computationally heavier than the scalar ones. Algorithms with good bilinear complexity are interpolation algorithms. Among them, the method introduced by D.V. and G.V. Chudnovsky [CC88] makes it possible to obtain the best known bilinear complexity. The original Chudnovsky-Chudnovsky Multiplication Algorithm (CCMA) is an interpolation algorithm over rational places of a function field. This construction has been generalized in different ways, for instance with the use of places of arbitrary degrees or the use of derivative evaluations. A detailed review on the topic is given in [BCP+ 21]. Nevertheless, the total complexity of these algorithms has not been deeply studied yet. The first step in this direction has been made by Ballet et al. [BBD19, BBD21], giving a strategy to optimize the scalar complexity of the original CCMA. This strategy can be summarized as follows. The algorithm involves two matrices. For each coefficient distinct from zero and one of a matrix, a scalar multiplication is performed. Therefore, in order to reduce the number of scalar multiplications, these matrices must have a maximum number of zeros and ones.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
OPTIMIZATION OF CHUDNOVSKY ALGORITHMS
15
In this paper, we focus on the optimization of the recursive Chudnovsky-type algorithms over the projective line, proposed in [BBP20]. First, we rely on the work of [BBD21] to extend it to the use of places of arbitrary degrees. Then, a constructive method is developed to optimize the complexity of the algorithms on the projective line. The paper is organized as follows. In Section 2, we introduce Chudnovsky-type algorithms with evaluations at places of arbitrary degrees, and then the recursive construction over the projective line. In Section 3, we deal with the scalar complexity of Chudnovsky-type algorithms when non-rational places are used. Then, we propose a strategy to improve the scalar complexity of recursive Chudnovsky-type algorithms over the projective line. In Section 4, we give several examples. In particular, we illustrate this process on the extension of degree 4 of F4 , and obtain an algorithm of same bilinear complexity and better total complexity than the Baum-Shokrollahi experiment [BS91], and its optimizations given in [BBD21]. 2. Chudnovsky-type algorithms Let F/Fq be a function field of genus g over Fq . For O a valuation ring, the place P is defined to be P = O \ O× . We denote by FP = OP /P the residue class field at the place P , that is isomorphic to Fqd , d being the degree of the place. A rational place is a place of degree 1. A divisor D is a formal sum D = i ni Pi , where Pi are places and ni are relative integers. The support supp D of D is the and D is effective if all the ni are positive. set of the places Pj for which nj = 0, The degree of D is defined by deg D = i ni . The Riemann-Roch space associated to the divisor D is denoted by L(D). A divisor D is said to be non-special if dim L(D) = deg(D) + 1 − g. Details about algebraic function fields can be found in [Sti08]. 2.1. CCMA with evaluation at places of arbitrary degrees. The latest generalization of CCMA is given in [BCP+ 21]. Before introducing the algorithm, let us give a definition of the generalized Hadamard product. Definition 2.1. Let q be a prime power and d1 , . . . , dN be positive integers. The generalized Hadamard product in Fqd1 × · · · × FqdN , denoted by , is given for all (a1 , . . . , aN ), (b1 , . . . , bN ) ∈ Fqd1 × · · · × FqdN by (a1 , . . . , aN )(b1 , . . . , bN ) = (a1 b1 , . . . , aN bN ). With this notation, we recall the version of the Chudnovsky-Chudnovsky algorithm useful for our study, namely the one allowing evaluations at places of arbitrary degrees (see [BCP+ 21, Corollary 5.4]). Theorem 2.2 (CCMA at places of arbitrary degrees). Let • • • • •
n be a positive integer, F/Fq be an algebraic function field of genus g, Q be a degree n place of F/Fq , D be a divisor of F/Fq , P = {P1 , . . . , PN } be an ordered set of places of arbitrary degrees of F/Fq .
We suppose that supp D ∩ {Q, P1 , . . . , PN } = ∅ and that
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
´ STEPHANE BALLET ET AL.
16
(i) the evaluation map EvQ : L(D) → FQ f → f (Q) is surjective, (ii) the evaluation map EvP : L(2D) → Fqdeg P1 × · · · × Fqdeg PN f → f (P1 ), . . . , f (PN ) is injective. Then, F,P (D, Q) such that for any two ele(1) we have a multiplication algorithm Uq,n ments x, y in Fqn :
−1 −1 (x)EP ◦ EvQ (y) , (2) xy = EQ ◦ EvP |ImEvP −1 EP ◦ EvQ where EQ denotes the canonical projection from the valuation ring OQ of the place Q in its residue class field FQ , EP the extension of EvP on −1 the valuation ring OQ of the place Q, EvP |ImEvP the restriction of the inverse map of EvP on its image, the generalized Hadamard product and ◦ the standard composition map; F,P (D, Q) defined by (2) has bilinear complexity (2) the algorithm Uq,n F,P μb (Uq,n (D, Q)) =
N
μb (Uq,deg Pi (Pi )),
i=1
where Uq,deg Pi (Pi ) is the algorithm used to multiply the evaluations at Pi , in Fqdeg Pi . Sufficient application conditions are given in the following. Proposition 2.3 (Criteria for CCMA at places of arbitrary degrees). Let q be a prime power and let n > 1 be an integer. If there exists an algebraic function field F/Fq of genus g with a set of places P = {P1 , . . . , PN } and an effective divisor D of degree n + g − 1 such that 1) there exists a place Q of degree n (which is always the case if 2g + 1 ≤ n−1 1 q 2 (q 2 − 1)), 2) Supp D ∩ (P ∪ Q) = ∅, and D − Q is non-special, N Pi is non-special, 3) i=1 deg Pi = 2n + g − 1 and 2D − then, (i) the evaluation map EvQ : L(D) → FQ f → f (Q) is an isomorphism of vector spaces over Fq , (ii) and the evaluation map EvP : L(2D) → Fqdeg P1 × · · · × FqdegPN f → f (P1 ) , . . . , f (PN ) is an isomorphism of vector spaces of dimension 2n + g − 1 over Fq .
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
OPTIMIZATION OF CHUDNOVSKY ALGORITHMS
17
2.2. Recursive Chudnovsky-type algorithm over the projective line. In this paper, we focus on the optimization of recursive Chudnovsky-type algorithms over the projective line, introduced in [BBP20]. These algorithms are a specialization of the algorithm from Theorem 2.2 to the rational function field. Definition 2.4. Let q be a prime power and n be a positive integer. A recurPn (Q) over the projective line is an algorithm sive Chudnovsky-type algorithm Uq,n F,P Uq,n (D, Q) satisfying the assumptions of Theorem 2.2 such that: • F/Fq is the rational function field Fq (x), • Q is a place of degree n of Fq (x), • D = (n − 1)P∞ , where P∞ is the place at infinity of Fq (x), • Pn is a set of places of degrees lower than n such that deg P = 2n − 1, P ∈Pn Pd • the multiplication in FP Fqd , where d = deg P , is computed by Uq,d (P ), where P ∈ Pn . P1 Note that if P ∈ Pn is a rational place, the algorithm Uq,1 (P ) consists in only a bilinear multiplication in Fq . Such an algorithm verifies the criteria of Proposition 2.3. The bilinear complexity of these algorithms is given by the following. Pn Proposition 2.5. Let Uq,n (Q) be a recursive Chudnovsky-type algorithm over the projective line. Its bilinear complexity is given by Pd Pn (Q)) = μb (Uq,d (P )), μb (Uq,n P ∈Pn
where d = deg P . Note that the evaluation at P∞ is defined specifically in this context, since P∞ is in the support of D. Definition 2.6. Let k be a positive integer and P∞ be the place at infinity of k Fq (x). Let D = kP∞ , and let f = i=0 fi xi ∈ L(D). We define the evaluation at P∞ to be for all f ∈ L(D), f (P∞ ) := fk . Example 2.7. Consider the multiplication in F44 over F4 . Let P0 , P1 , Pω , Pω2 and P∞ be the rational places of F4 [x]. Let P 2 be a place of degree 2, and Q be a place of degree 4. Then, we can construct a recursive Chudnovsky-type algorithm over the projective line with P4 = {P0 , P1 , Pω , Pω2 , P∞ , P 2 }. This algorithm uses P2 the algorithm U4,2 (P 2 ), defined with P2 = {P0 , P1 , P∞ }. The diagram of its construction is given in Table 1. As well as the Baum-Shokrollahi experiment [BS91], P4 this algorithm has an optimal bilinear complexity μb (U4,4 (Q)) = 8. 3. Optimization of scalar complexity 3.1. Some general results. First, we discuss how to adapt the work of [BBD21] to Chudnovsky-type algorithms using places of arbitrary degrees. F,P Let Uq,n = Uq,n (D, Q) be an algorithm as defined in Theorem 2.2, and verifying the criteria of Proposition 2.3, for the multiplication in Fqn . Following [BBD21], we consider that the basis of Fqdeg P1 × · · · × Fqdeg PN is always the canonical basis.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
18
´ STEPHANE BALLET ET AL. P Table 1. Diagram of the construction of U4,4 (Q).
P4 U4,4 (Q)
P0 P1 Pω Pω 2 P∞ P2 U4,2 (P 2 )
P0 P1 P∞
The basis BQ of FQ = Fqn is defined by BQ = EvQ (BD ), where BD is the basis of L(D). We also denote by B2D the basis of the Riemann-Roch space L(2D). Since we take D as an effective divisor, we have that L(D) ⊂ L(2D), and we take c c , where BD is a basis of the supplementary space of L(D) in L(2D). B2D = BD ∪ BD Let TD (resp. T2D ) be the matrix of EP : L(D) −→ Fqdeg P1 × · · · × Fqdeg PN in the basis BD (resp. EvP : L(2D) −→ Fqdeg P1 × · · · × Fqdeg PN , in the basis B2D ). Let C be the matrix of the map EQ from the Riemann-Roch Space L(2D), in the basis B2D , to the finite field Fqn , in the basis BQ over Fq . Using these matrices, Algorithm (2) is written (3)
−1 XY = CT2D (TD (X)TD (Y )),
where X and Y are the two elements of F44 in the basis BQ being multiplied, and is the generalized Hadamard product. In the following, we consider the product −1 −1 of C and T2D as one matrix CT2D . Recall that the scalar complexity of the algorithm Uq,n is defined as its number of multiplications by a non-trivial constant (distinct from 0 or 1) in Fq . In Uq,n , the −1 matrices TD and CT2D provide some scalar multiplications of the algorithm. We therefore wish to obtain matrices with as many coefficients equal to zero or one as possible, to have a maximum number of trivial multiplications that do not count in the scalar complexity. Consequently, we focus on the number of zeros and ones −1 )) the number of zeros in these matrices. We denote by Nz (TD ) (resp. Nz (CT2D −1 −1 in TD (resp. CT2D )) and also denote by N1 (TD ) (resp. N1 (CT2D )) the number −1 of ones in the matrices TD (resp. CT2D ). Note that it is useful to distinguish between zeros and ones, since the coefficients equal to one must be counted in the number of additions used by the algorithm. Since the matrix TD is used twice −1 only once, we denote the total number of zeros by in the algorithm, and CT2D −1 Nz = 2Nz (TD ) + Nz (CT2D ) and the total number of ones by N1 = 2N1 (TD ) + −1 N1 (CT2D ) If the algorithm Uq,n is an original CCMA, the evaluations are only at rational places and all the scalar multiplications are given by the matrices TD and −1 CT2D . Hence, the scalar complexity is given by [BBD19, BBD21]: (4)
μs (Uq,n ) = 3n(n + g − 1) − Nz − N1 .
In our study, we allow the evaluations to be at places of arbitrary degrees. Consequently, we have to count the scalar multiplications involved in an algorithm Uq,d (P ) (not necessarily of type Chudnovsky), where d = deg P , for the multiplication in the residue class field FP Fqd , required to multiply the evaluations at P.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
OPTIMIZATION OF CHUDNOVSKY ALGORITHMS
19
Proposition 3.1. Let Uq,n be a Chudnovsky-type algorithm from Theorem 2.2, with evaluations at places of arbitrary degrees. Then, its scalar complexity is such that (5) μs (Uq,n ) = 3n(n + g − 1) − Nz − N1 + μs (Uq,d (P )), P ∈P
where d = degP and Uq,d (P ) is the algorithm used to multiply the evaluations at P . Proof. Follows from (4), where we add the scalar complexity of the multipli cations in Fqdeg P for all places P used by the algorithm. Since we have to add the scalar complexity of the algorithms Uq,d (P ), for all P ∈ P and d = deg P , the use of non rational places looks heavier for the scalar complexity. However, this is not necessarily the case. First, because a function field of lower genus can be used, which implies the use of smaller matrices, and also because the matrix TD might contain more zeros. Proposition 3.2. Let Uq,n be a Chudnovsky-type algorithm as defined in Theorem 2.2, satisfying Proposition 2.3. Consider P ⊂ P constructed by taking places that are in P by growing degrees as long as the sum of their degrees remains lower than or equal to n + g − 1. Then, the number of zeros of TD verifies Nz (TD ) ≤ n n + g − 1 + (deg P − 1) . P ∈P\P
Proof. By Proposition 2.3, the divisor D is taken effective and of degree n + g − 1. Thus, a function f in L(D) has at most deg D = n + g − 1 zeros. Consider f ∈ BD , then a column of TD is given by the evaluations of f at the places in P. Moreover, the evaluation at a place of degree d gives d coefficients in Fq , and such an evaluation can give d − 1 zeros without vanishing. As the ratio (d − 1)/d is increasing, the column defined by the evaluations of f would have the largest number of zeros if f has (at most) n + g − 1 zeros at the places of smallest possible degree, i.e. at the places in P , and deg P − 1 coefficients equal to zero for each other place. Then, a column of TD is given by the evaluations of a function in L(D) and has at most n + g − 1 + P ∈P\P (deg P − 1) coefficients equal to zeros. The bound is obtained by counting this maximal number of zeros for all the n columns of TD . Another important result for the strategy of optimization is that for given P, c D and Q, since the basis BD of L(D) is fixed, and that the basis B2D = BD ∪ BD of L(2D) is an extension of the basis of L(D), the algorithm does not depend on c . This result is established in [BBD19, Proposition 1], and is also the choice of BD true when places of higher degrees are used (same proof holds). 3.2. Optimization of the complexity of a recursive Chudnovsky-type algorithm over the projective line. Consider a recursive Chudnovsky-type alPn gorithm over the projective line Uq,n (Q). The bilinear complexity of such an algorithm is known by Proposition 2.5. In this section, we introduce our strategy to optimize its total complexity.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
20
´ STEPHANE BALLET ET AL.
Pn Proposition 3.3. Let Uq,n (Q) be a recursive Chudnovsky-type algorithm over Pn the projective line. Then, the scalar complexity of Uq,n (Q) is given by Pd Pn μs (Uq,n (Q)) = 3n(2n − 1) − Nz − N1 + μs (Uq,d (P )), P ∈Pn
where d = deg P . Proof. Follows immediately from Proposition 3.1, where the ChudnovskyPd (P ) over the projective line is used to multiply in FP Fqd . type algorithm Uq,d By the results obtained in [BBD19, BBD21] and the previous section, the Pn optimization of the scalar complexity of Uq,n (Q) only depends on the basis of L(D), when Pn , D and the place Q of degree n are fixed. Hence, the main focus is to find −1 have the most possible a basis BD of L(D) such that the matrices TD and CT2D zeros and ones. The basis of Fqn will be defined in accordance with this basis. The strategy proposed in [BBD19] and significantly completed in [BBD21] is to construct a first basis BD , and apply the linear group GLn (Fq ) to look for the best possible bases. It is effective, but expensive. With a recursive algorithm over the projective line, one can construct directly some bases of L(D) that improve the total complexity of the algorithm without using the action of the linear group. 3.2.1. Optimization strategy. Now, let us introduce the heart of the strategy of optimization of Chudnovsky-type algorithms over the projective line. We want to sculpt BD to obtain the minimum scalar multiplications and additions. For this purpose, we want to get as many zeros as possible before processing the number of ones. More precisely, we will focus on obtaining the most possible zeros and then ones in the matrix TD . Two reasons for that: we do not have information on how −1 the choice of the basis of L(D) affects the matrix CT2D , and moreover the matrix TD counts twice. For all these reasons, our goal is finally to sculpt BD such that TD has a maximal number of zeros, and then a maximal number of ones. Recall that D = (n − 1)P∞ , and hence L(D) is the space of polynomials over Fq of degrees at most n − 1. Moreover, the places of Fq (x) are given by the irreducible polynomials over Fq [x] and the place at infinity. The idea is to take the vectors of the basis BD as products of irreducible polynomials associated to places in Pn . Therefore, the evaluation of such a vector will vanish at the places used to define it. This translates into zeros in the matrix TD . We define such bases as Pn −bases of L(D). Definition 3.4 (Pn −basis of L(D)). Let q be a prime power and n > 1 be an integer. Let Pn = {P1 , . . . , PN } be a set of distinct places of Fq (x) such that deg P = 2n − 1. If Pj is not the place at infinity, let Pj (x) be the monic P ∈Pn irreducible polynomial associated to the place Pj . In the case of Pj = P∞ , let , Vn } is a Pn −basis of L(D) if every vector Vi Pj (x) = 1. We say that B = {V1 , . . . of the basis B is defined as Vi (x) = Pj ∈Vi Pj (x), where Vi is a subset of Pn . The set Vi is called the support of Vi . We can notice that since L(D) is the space of polynomials of degree at most n − 1, the vectors defining the basis shall be of degree at most n − 1. The following proposition gives a lower bound for the number of zeros in the matrices TD constructed using a Pn −basis of L(D).
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
OPTIMIZATION OF CHUDNOVSKY ALGORITHMS
21
Proposition 3.5. Let B = {V1 , . . . , Vn } be a Pn −basis of L(D), and let TD be a matrix obtained using B. Then, n Nz (TD ) ≥ deg Vi . i=1
Proof. Every column of TD is given by the evaluation of a vector Vi at the places in Pn . Every such vector is the product of some Pi,j (x), where Pi,j ∈ Vi ⊂ Pn and Vi can be written as the product Vi (x) = Pi,1 (x) . . . Pi,Ni (x), Ni where j=1 deg Pi,j = deg Vi . In particular, Vi (Pi,j ) = 0, and it gives deg Pi,j zeros in the i−th column of TD , for all j = 1, . . . , Ni . Then, the i − th column of TD contains least deg Vi zeros. This is the case for all the Vi in BD , and then at n Nz (TD ) ≥ i=1 deg Vi . The preferred configuration to maximize the number of zeros is when the vectors of the Pn −basis B are of degree n − 1, or as close to n − 1 as possible. Corollary 3.6. If P∞ ∈ Pn and for all i, deg Vi = n − 1 or n − 2. Then, Nz (TD ) ≥ n(n − 1). Proof. If deg Vi = n − 1, then Vi has n − 1 zeros. If deg Vi = n − 2, then Vi (P∞ ) = 0 since this evaluation is the coefficient in xn−1 of Vi (by Definition 2.6), and n − 2 zeros at the places (distinct from P∞ ) defining Vi . Finally, the n vectors of the basis have at least n − 1 zeros. 3.2.2. Generic optimization. Thus far, we have seen that using Pn −bases gives an information on the number of zeros in the matrix TD , and then can be used to improve the complexity of Chudnovsky-type algorithms over the projective line. It remains to be proven that such a basis always exists. An efficient way to obtain such a basis is to construct B = {V1 , . . . , Vn } such that for all i, deg Vi = i − 1. Secondly, we can construct the matrix TD and maximize its number of ones by multiplying the vectors of the basis by a constant in Fq . For each column in TD , suppose that a ∈ Fq is the non-zero scalar that occurs the most in the column. Then, we multiply the corresponding vector of the basis by a−1 . The generic construction of a Pn −basis of L(D) is given in the following algorithm. Algorithm 1 Construction of a generic Pn −basis of L(D) and the associated matrix TD . INPUT: q, n, Pn = {P1 , . . . , PN } be a set of places such that P ∈Pn deg P = 2n − 1. OUTPUT: BD , TD . (1) For i = 1, . . . , n, construct Vi (x) = Pj ∈Vi Pj (x), such that deg Vi = i − 1, and Vi is a subset of Pn . (2) Construct TD . For each column of TD , if a ∈ Fq is the scalar that occurs the most, multiply both the corresponding vector of BD and the associated columns of TD by a−1 . The natural strategy to construct Chudnovsky-type algorithms over the projective line is to include in Pn all places by increasing degrees, until the sum of their degrees is equal to 2n − 1 (if the sum gets bigger than 2n − 1, remove a place of the appropriate degree, see [BBP20, Section 4.2]).
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
22
´ STEPHANE BALLET ET AL.
Proposition 3.7. If Pn is constructed including places by increasing degrees, then Algorithm 1 is correct. Proof. If Pn is constructed by taking places of increasing degrees, then it contains places of every degrees until some integer k, except in the case of q = 2 and the only degree 2 place of F2 (x) has been removed from Pn . We can assume that P∞ is always in Pn . Note that the polynomial associated to P∞ is defined by P∞ (x) = 1 (see Definition 3.4). Suppose that Pn contains places of every degree until some integer k. Then, there exists Pj (x) of degree j for j = 1, . . . , k. Set V1 (x) = 1. Then, for i = 2 to n − 1, we construct the polynomials Vi (x) by taking the product of all monic polynomials by increasing degrees until the degree is equal to i − 1 (if the degree gets greater than i − 1, divide this product by an appropriate monic irreducible polynomial, that is in the support of Vi at this moment of the construction). If q = 2 and Pn does not contain the place of degree 2, we can divide Vi by the two irreducible polynomials of degree 1. Moreover, the sum of all Pi (x) is of degree 2n − 2 ≥ n, and then we can construct Vi (x) of degree d for all d = 0, . . . , n − 1. Finally, since there exists some products of the Pi (x) for any degree d, one can obtain n vectors V1 (x), . . . , Vn (x) of degrees 0, . . . , n − 1 respectively, such that for all j the function Vj (x) is the product of some distinct Pi (x). Then, B = {V1 (x), . . . , Vn (x)} is a Pn −basis of L(D). Moreover, Algorithm 1 is ending in polynomial time. Proposition 3.8. Algorithm 1 is running in time O(n3 log n log log n). Proof. Step 1. For the n vectors, we take at most n products of Pi (x). We roughly consider that we have at most n2 products of polynomials whose degrees are bounded by n. Each product can be computed with O(n log n log log n) operations by Sch¨ onhage-Strassen ([SS71], [vzGG03, Theorem 8.23.]), thus this step can be completed in time O(n3 log n log log n). Step 2. The matrix TD is constructible using O(n3 ) operations in the base field. Indeed, the coefficients of the matrix are obtained by computing the evaluations of the polynomials in the basis of L(D) at the places in Pn . The evaluation of such a polynomial V (x), that is of degree at most n − 1, at a place P of degree d < n is obtained by the modular reduction of V (x) modulo P (x). More precisely, i let v(x) = V (x) (mod P (x)) = d−1 i=0 vi x . The coefficients of {v0 , . . . , vd−1 } are exactly the evaluation of V (x) at P in the basis {1, α, . . . , αd−1 }, for α a root of P (x). Such a computation gives d coefficients of the matrix, and can be computed using the Euclidean Algorithm for polynomials, that uses O(nd) operations by [vzGG03, Theorem 3.11.]. The matrix TD having O(n2 ) coefficients, it means that all of them can be computed using O(n3 ) operations. Then, for the n columns, we count each occurrence of non-zero scalars in the 2n − 1 coefficients. Then, we have to multiply the n vectors of the basis, and the n columns of TD by a scalar. This last part is computed in O(n2 ). Finally, this step uses O(n3 ) operations in Fq . Remark 3.9. In [HvdH19], it is proven that if there exists a Linnik constant with L < 1 + 2−1162 , the product of two degree n polynomials over Fq can be computed in O(n log q log(n log q)), uniformly in q. Considering that q is fixed, the running time of Algorithm 1 becomes O(n3 log n). Example 3.10. Table 2 gives an illustration of the improvement of the complexity of Chudnovsky-type algorithms over the projective line for small extensions
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
OPTIMIZATION OF CHUDNOVSKY ALGORITHMS
23
Table 2. Total complexity of Chudnovsky-type algorithms over F2 (x) n Non optimized Generic optimization
2
3
4
5
6
···
7 23 54 91 129 7 20 49 77 99
54 10152 8703
of F2 , and for the extension of degree 54. The non optimized algorithm uses the canonical basis {1, x, . . . , xn−1 } of L(D), while the generic optimization uses the basis provided by Algorithm 1. Details are given in Section 4.3. 3.2.3. Non-generic optimization. Even though we obtained a first improvement of the total complexity, this generic process does not provide the Pn −basis of L(D) giving the best total complexity. For instance, we should take the vectors in the basis of the highest possible degree, since it ensures more zeros in the matrix. If the degree of the extension is low, we can check all possible Pn −bases of L(D). Nevertheless, there are less than 2#Pn possible vectors for the basis, and hence less #Pn possible Pn −bases to try. than 2 n Remark 3.11. Even if this complete optimization is too heavy to be used generically for large extension degree, it is still way more efficient than the optimization of [BBD19, BBD21] involving the action of the linear group. Considering the optimization in the extension of degree 13 of F16 , the linear group is of cardinality 10203 , while our strategy would consist in looking through 1072 possible Pn −bases. Depending on the time and resources that can be used, we can still improve the complexity of the algorithm. Instead of looking through all possible Pn −bases, we can focus on the bases including only vectors of degree n − 1 or n − 2. Between these vectors, one can only look through the ones whose evaluations give a maximum number of zeros. An example of such optimization is given in Section 4.2. Pn (Q) over This ends our strategy to optimize a Chudnovsky-type algorithm Uq,n the projective line, when the parameters Pn and Q are fixed. Finally, one can look for the best parameters, i.e. include in Pn in priority the places P such that the Pdeg P multiplication in FP with Uq,deg P (P ) has the lowest complexity, or similarly for the place Q of degree n. A full optimization process is given in Section 4.1. 4. Examples In this section, we provide several examples of optimizations of Chudnovskytype algorithms over the projective line. All the computations were done using Magma Computational Algebra System [BCP97]. 4.1. Multiplication in F256 over F4 . We now illustrate the strategy introduced in the previous section to the multiplication in the extension of degree 4 of F4 . The construction of a recursive Chudnovsky-type algorithm over the projective line to multiply in this extension has already been given in Example 2.7. 2 [x] . Hence, the elements of F4 are {0, 1, ω, ω 2 }, More precisely, consider F4 = (x2F+x+1) 2 where ω is a root of x + x + 1. Let F4 (x), be the rational function field over F4 . This function field has 5 rational places, that we denote by P0 , P1 , Pω , Pω2 and
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
24
´ STEPHANE BALLET ET AL.
P∞ . These places are given by the irreducible polynomials x, x + 1, x + ω, x + ω 2 and the place at infinity respectively. There exist 6 places of degree 2, which we denote by P12 , . . . , P62 , and 60 places of degree 4. As in Example 2.7, we take P4 = {P0 , P1 , Pω , Pω2 , P∞ , P 2 }, where P 2 is one of the six places of degree 2, to obtain an algorithm of optimal bilinear complexity. Consequently, our algorithm P2 requires to use the algorithm U4,2 (P 2 ). We first focus on optimizing this algorithm, P2 in order to take P 2 such that the complexity of U4,2 (P 2 ) is minimal. P2 2 4.1.1. Optimization of U4,2 (P ). As seen in Example 2.7, the Chudnovsky-type algorithm over the projective line for the multiplication in the quadratic extension of F4 is defined using the ordered set P2 = {P0 , P1 , P∞ }. Actually, the canonical basis {f1 , f2 } = {1, x} of L(D) is already optimal. In fact, the matrix TD is then given by ⎞ ⎛ ⎞ ⎛ 1 0 f1 (P0 ) f2 (P0 ) TD = ⎝ f1 (P1 ) f2 (P1 ) ⎠ = ⎝1 1⎠ . 0 1 f1 (P∞ ) f2 (P∞ ) It has a maximal number of zero with respect to Proposition 3.2, and all its nonzero coefficients are equal to one. Hence, this matrix is optimal in terms of scalar complexity. Thus we do not need to search for a better basis of L(D). It remains to find for which places of degree 2 we obtain the more competitive algorithms. −1 Hence, we compute CT2D for all the 6 possible places of degree 2 of F4 (x). We obtain −1 ) = 2 with P12 = (x2 + x + ω) and P22 = (x2 + x + ω 2 ), • Nz (CT2D −1 • Nz (CT2D ) = 1 with all other places. −1 Moreover, using P12 or P21 , we have N1 (CT2D ) = 3. Hence, we can pick either P12 2 or P2 as the place of degree 2 in P4 . By Proposition 3.3, we obtain P2 (P12 )) = 1, μs (U4,2
and the number of additions is given by P2 a(U4,2 (P12 )) = 4. P4 4.1.2. Optimization of U4,4 (Q). Recall that P4 = {P0 , P1 , Pω , Pω2 , P∞ , P 2 }. By the previous section, one shall pick P 2 = P12 = (x2 +x+ω) or P22 = (x2 +x+ω 2 ). In the following, we choose P 2 = P12 . We want to construct a good basis BD of L(D), with D = 3P∞ . Hence the Riemann-Roch space L(D) is the space of polynomials of degrees at most 3 over F4 . Note that this time P∞ is in P4 . By Definition 2.6, a function f in L(D) has a zero at P∞ if and only if f is a polynomial of degree at most 2. For all other places P in P4 , let P (x) be the corresponding polynomial. Then, a function f in L(D) has a zero at P if and only if P (x) | f . By Corollary 3.6, we shall construct the vectors of the basis as polynomials of degrees n − 1 or n − 2, which are the product of the polynomials defining the places in P4 . Moreover, we want this vectors to vanish on rational places. Hence, we construct possible vectors for the basis of L(D) as • the product of two irreducible polynomials of degree one Pi (x)Pj (x), for i, j ∈ {0, 1, ω, ω 2 }, then this vector has zeros at the places Pi , Pj and P∞ , • the product of three irreducible polynomials of degree one Pi (x)Pj (x)Pk (x), for i, j, k ∈ {0, 1, ω, ω 2 } then this vector has zeros at the places Pi , Pj and Pk .
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
OPTIMIZATION OF CHUDNOVSKY ALGORITHMS
25
Consequently, we can take the vectors of the basis BD as the product of three This gives distinct elements of {1, x, x + 1, x + ω, x + ω 2 } until a basis isfound. 5 10 = 10 possible vectors for the basis of L(D). Then, there are = 210 possible 3 4 combinations of these vectors to build the basis. Moreover, we want the vectors in each combination to be relatively prime in terms of polynomials, so that they do not all vanish at the same place. By computation, There are 150 possibilities left. We now consider that for given parameters, we only have to look through 150 possibilities to construct a P4 −basis of L(D). In the strategy of [BBD19] and [BBD21], it was required to look through | GL4 (F4 ) |= 2961100800 possibilities. By Corollary 3.6, there are at least 12 zeros in the matrices TD obtained using these bases. Nevertheless there can be at most 16 zeros by Proposition 3.2. We obtained exactly one basis of L(D) such that Nz (TD ) = 16. This basis is given by BD = {(x + ω)(x + 1), x(x + 1), (x + ω 2 )(x + ω), x(x + ω 2 )(x + ω)}. The corresponding evaluation matrix TD is ⎛ ω 0 ⎜0 1 ⎜ ⎜ω 1 ⎜ TD = ⎜ ⎜0 0 ⎜0 ω ⎜ ⎝ω 0 0 0
then 1 0 0 1 ω2 0 0
⎞ 0 0⎟ ⎟ 0⎟ ⎟ 1⎟ ⎟ 0⎟ ⎟ ω2 ⎠ 1
where the rows are given by the evaluations at the places in P4 , with the following order: P0 , Pω , Pω2 , P1 , P12 and P∞ . Notice that the evaluation at P12 takes two rows, in the basis {1, α}, where α is a root of P12 (x). Following Step 2 of Algorithm 1, one shall try to increase the number of ones in this matrix. In particular, the first column only contains 0 and ω. Hence, we modify the basis by multiplying the first vector by ω −1 = ω 2 , we obtain BD = {ω 2 (x + ω)(x + 1), x(x + 1), (x + ω 2 )(x + ω), x(x + ω 2 )(x + ω)} and
⎛ 1 0 ⎜0 1 ⎜ ⎜1 1 ⎜ TD = ⎜ ⎜0 0 ⎜0 ω ⎜ ⎝1 0 0 0
1 0 0 1 ω2 0 0
⎞ 0 0⎟ ⎟ 0⎟ ⎟ 1⎟ ⎟. 0⎟ ⎟ ω2 ⎠ 1
The last step is now to find a place Q that gives the best scalar complex−1 ity. Finally, we compute the matrices CT2D using the basis of L(2D) given by 4 5 6 B2D = BD ∪ {x , x , x } for all the 60 places Q of degree 4 in F4 (x). There are 3 −1 −1 has a maximum number of zeros Nz (CT2D ) = 12. Between places such that CT2D those matrices, two have 4 coefficients equal to one, and the last one, that is defined using Q = (x4 + ωx2 + ωx + ω 2 ), has 6 coefficients equal to one. The matrix is in
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
´ STEPHANE BALLET ET AL.
26
this latest case given by −1 CT2D
⎛
ω2 ⎜1 =⎜ ⎝0 0
0 0 ω2 ω
ω 0 0 ω
0 ω2 0 0
1 ω2 ω 0
0 1 0 ω
⎞ 1 ω2 ⎟ ⎟. 1⎠ 1
P4 Finally, the algorithm U4,4 (Q) is obtained with these parameters. The finite field F44 is represented as F4 [x]/(Q(x)) = F4 [β], for β a root of Q(x). Its basis over F4 is given by BQ = EvQ (BD ) and hence by
BQ = {β 43 , β 198 , β 108 , β 109 }. 4.1.3. Comparison with other algorithms. The matrices obtained contain −1 −1 Nz (TD ) = 16 and Nz (CT2D ) = 12 zeros, and N1 (TD ) = 9 and N1 (CT2D ) = 6 P4 ones. Finally, we can compute the scalar complexity of U4,4 (Q), including the P2 scalar complexity of U4,2 (P12 ). By Proposition 3.3, we obtain, P4 μs (U4,4 (Q)) = 17,
and
P4 (Q)) = 4 + 2 × 5 + 12 = 26. a(U4,4 Originally, the Baum-Shokrollahi experiment [BS91] introduced an algorithm for the extension of degree 4 of F4 with optimal bilinear complexity. This algorithm is an original CCMA over the function field defined by the Fermat curve u3 +v 3 = 1. It also uses 51 scalar multiplications and 52 additions. In [BBD19, BBD21], the same algorithm is optimized (BS Optimized) with a good choice of the basis of F44 to obtain only 19 scalar multiplications and 43 additions. In this paper, the proposed algorithm is constructed over the rational function field, and only requires 17 scalar multiplications and 26 additions, for the same bilinear complexity. At last, we want to compare our algorithm to well-known methods of polynomial interpolation. The generalized Karatsuba algorithm computes the product of two 4-terms polynomials using 9 (bilinear) multiplications and 24 additions (see [WP06, Appendix]). Once this product is computed, the modulo Q(x) reduction still needs to be performed. For the comparison, we define F44 as in our construction, using Q(x) = x4 + ωx2 + ωx + ω 2 . The reduction then uses 9 additions and 8 scalar multiplications. The comparison between these methods is given in Table 3. We can see that the total complexity of our algorithm is equal to Karatsuba’s to the nearest 1.
Remark 4.1. Other experiments have similar performances, for example for the degree 3 extension of F2 , regardless of the polynomial used to define the extension (see Table 6 and Table 7). Table 3. Comparison of algorithms for the multiplication in F44 Algorithm Baum-Shokrollahi [BS91] BS Optimized [BBD21] Our construction Karatsuba [WP06] + Reduction
μb (U) 8 8 8 9
μs (U) 51 19 17 8
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
a(U) μ(U) 52 111 43 70 26 51 33 50
OPTIMIZATION OF CHUDNOVSKY ALGORITHMS
27
4.2. The degree 13 extension of F16 . Let the finite field F16 be defined as F2 (ω), where ω is a root of x4 +x+1. In [Bal02], Ballet constructed a ChudnovskyChudnovsky Multiplication Algorithm with quasi-optimal bilinear complexity for the multiplication in the extension of degree n = 13 of F16 . This algorithm is defined using the hyperelliptic curve given by the plane equation y 2 + y = x5 of genus 2 that has 33 rational points. The algorithm uses 27 bilinear multiplications, that is still the best known bilinear complexity for the multiplication in this extension. The calculation of the number of operations of such an algorithm in Magma gives 833 scalar multiplications and 840 additions. We can define a Chudnovsky-type algorithm over the projective line for the multiplication in F1613 over F16 . The rational function field over F16 has 17 rational places and 120 places of degree 2. We construct the set P16 with the 17 rational places and 4 places of degree 2. Then, the sum of the degrees of the places in P16 is equal to 17 + 2 × 4 = 25 = 2n − 1. As in the previous example, we start by including P2 in P16 the places P 2 of degree 2 such that the algorithm U16,2 (P 2 ) has the best P2 complexity. There are 8 places P 2 of degree 2 such that μs (U16,2 (P 2 )) = 1 and P2 2 a(U16,2 (P )) = 4. We include 4 of them in P16 . In the following, we consider that the places of degree 2 in P16 are given by (x2 +x+ω 7 ), (x2 +x+ω 14 ), (x2 +x+ω 13 ) and (x2 + x + ω 11 ). Consider the place Q = (x13 + x4 + x3 + x + 1) of F16 (x) of P16 degree 13, and D = 12P∞ . We can now construct the algorithm U16,13 (Q). Without any optimization, we use the canonical basis of L(D) given by {1, x, . . . , x12 }. The algorithm then uses 29 bilinear multiplications, 686 scalar multiplications and 815 additions. 4.2.1. Generic optimization. With Algorithm 1, we can construct a P16 −basis of L(D). This basis is given by V1 = 1, V2 = x, V3 = ω 11 x2 + ω 12 x, V4 = ω 13 x3 + ω 3 x2 + ωx, V5 = ω 13 x4 + ω 9 x3 + ω 11 x2 + ω 4 x, V6 = ω 12 x5 + ω 10 x4 + ω 3 x3 + x2 + ω 7 x, V7 = ω 13 x6 + ω 5 x5 + x4 + ω 3 x3 + ω 14 x2 + ω 13 x, V8 = ω 12 x7 + ω 7 x6 + ω 11 x5 + ωx4 + ω 3 x3 + ω 6 x2 + ω 3 x, V9 = ω 11 x8 + ω 2 x7 + ω 9 x6 + ω 8 x5 + ω 12 x4 + ω 6 x3 + ω 7 x2 + ω 9 x, V10 = ω 14 x9 + ω 13 x8 + ωx7 + ω 3 x6 + ωx5 + ω 12 x4 + ω 4 x3 + ω 10 x2 + ω 5 x, V11 = ω 7 x10 + ω 11 x9 + ω 7 x8 + ω 5 x7 + ω 6 x6 + ω 11 x5 + ω 5 x4 + ω 2 x3 + ωx2 + ω 7 x, V12 = ω 5 x11 + ω 7 x10 + ω 8 x9 + ω 14 x8 + ω 11 x7 + ω 4 x6 + ω 7 x5 + ω 6 x4 + ω 11 x3 + ω 6 x2 + x, V13 = x12 + ω 9 x11 + ω 8 x10 + ω 4 x9 + ω 9 x8 + ω 13 xx7 + ω 4 x6 + ω 12 x5 + ω 4 x4 + ω 5 x3 + ω 3 x2 + ω 6 x.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
´ STEPHANE BALLET ET AL.
28
Using this basis, the complexity of the algorithm is reduced to 614 scalar multiplications and 705 additions. 4.2.2. Non-generic optimization. In Remark 3.11, we saw that there are too many possible P16 −bases for an exhaustive search. Nevertheless, we can still improve our algorithm. Using the proof of Proposition 3.2, a column of the matrix TD contains at most n − 1 + 4 = 16 zeros, since P16 contains 4 places of degree 2. Moreover, this equality is possible if and only if the corresponding vector of the basis of L(D) vanishes only on rational places. Thus, we consider the set S = {1, x, x + ω, x + ω 2 , . . . , x + ω 15 }. By corollary 3.6, we want to construct products of these elements of degree 11 or 12, such that such a function vanishes on 12 rational places of F16 (x). Such a polynomial is the product of 12 elements of S. Hence, there are 17 12 = 6188 possibilities. Moreover, the evaluation of each of these vectors gives at most 16 zeros. For all these functions f , we compute EvP (f ), the vector of the evaluations of f at the places in P16 . There are 49 of them containing 16 zeros. Finally, it remains to find a basis using 13 of these vectors. There are still 49 13 = 262596783764 possibilities. This is very few compared to an exhaustive search of a P16 −basis ( 1072 possibilities), but still too much. We finally randomly search a basis using these vectors, and apply Algorithm 1, Step 2 to reduce the number of scalar multiplications. We obtain the following. V1 = ω 4 x12 + ω 5 x10 + ω 8 x9 + ω 6 x8 + ω 2 x6 + ω 10 x5 + ω 3 x4 + ωx3 + ω 9 x2 + ω 12 x + 1, V2 = ω 4 x12 + ω 5 x10 + ω 8 x9 + ω 3 x8 + ω 2 x6 + ω 10 x5 + ω 9 x4 + ωx3 + ω 12 x2 + ω 6 x, V3 = ωx12 + ω 5 x10 + ω 2 x9 + ω 6 x8 + ω 8 x6 + ω 10 x5 + ω 3 x4 + ω 4 x3 + ω 9 x2 + ω 12 x, V4 = ω 9 x11 + ω 9 x10 + ω 10 x9 + ω 7 x7 + ω 7 x6 + ω 14 x5 + x4 + ω 12 x2 + ω 6 x, V5 = ω 2 x12 + ω 10 x10 + ω 4 x9 + ω 9 x8 + ωx6 + ω 5 x5 + ω 12 x4 + ω 8 x3 + ω 6 x2 + ω 3 x, V6 = ω 13 x11 + ω 13 x10 + ω 3 x9 + ω 13 x7 + ω 13 x6 + ω 8 x5 + ω 3 x3 + ω 8 x2 + ω 3 x, V7 = x12 + x9 + ω 10 x8 + x6 + ω 5 x4 + x3 + ω 10 x2 + ω 5 x, V8 = ω 8 x12 + ω 10 x10 + ωx9 + ω 12 x8 + ω 4 x6 + ω 5 x5 + ω 6 x4 + ω 2 x3 + ω 3 x2 + ω 9 x + 1, V9 = ω 10 x12 + x10 + ω 5 x9 + ω 8 x8 + ω 5 x6 + x5 + ω 4 x4 + ω 10 x3 + ω 2 x2 + ωx, V10 = x11 + x10 + x9 + ω 10 x7 + ω 10 x6 + ω 5 x5 + ω 5 x4 + x2 + ω 5 x, V11 = ω 12 x11 + ω 12 x10 + ω 5 x9 + ω 11 x7 + ω 11 x6 + ω 7 x5 + x4 + ω 6 x2 + ω 3 x, V12 = ω 2 x11 + ω 2 x10 + ω 10 x9 + x7 + x6 + ω 6 x5 + ω 8 x4 + ω 9 x3 + ω 2 x2 + ω 6 x, V13 = ω 14 x11 + ω 14 x10 + ω 9 x9 + ω 14 x7 + ω 14 x6 + ω 4 x5 + ω 9 x3 + ω 4 x2 + ω 9 x. P16 Using this basis, the Chudnovsky-type algorithm U16,13 (Q) now uses 423 scalar multiplications and 487 additions. Karatsuba algorithm is more expensive in terms of bilinear complexity, using 66 bilinear multiplications instead of 29 with our method. It also uses 277 additions
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
OPTIMIZATION OF CHUDNOVSKY ALGORITHMS
29
([WP06, Appendix]). As in the previous section, we compute the reduction modulo Q(x) with 66 additions. We notice that there is no scalar multiplication. This is due to the choice of Q(x) which has all its coefficients in F2 . This kind of situation is more favorable to Karatsuba’s technique than to our method for the scalar complexity. On the other hand, we can see that our method is clearly more efficient than the CCMA method using a curve of genus 2. The complexities of all these algorithms are summarized in Table 4. Table 4. Comparison of algorithms for the multiplication in F1613 Algorithm
μb (U)
μs (U)
a(U) μ(U)
CCMA [Bal02]
27
833
840
1700
Our construction Non optimized Generic optimization Non-generic optimization
29 29 29
686 614 423
815 705 487
1530 1348 939
Karatsuba [WP06] + Reduction
66
0
338
404
4.3. Generic optimization over F2 . For this last example, we fix the base field to be F2 . We want to construct and optimize generically Chudnovsky-type algorithms over the projective line to reach large extensions. In the following, each set of places Pn is constructed by taking all places of growing degrees until the sum is equal to 2n − 1. Recall that if at some point the sum is bigger than 2n − 1 we can remove from Pn a place to obtain exactly 2n − 1. Note that since we consider extensions of F2 , there are no scalar multiplication. Moreover, the number of additions depends on the place of degree n used to define the extension. For this reason, we return a list of values for the number of additions, following the order of the places given by Magma. We give the results for the extensions of degrees until 6 for a recursive Chudnovsky-type over the projective line first non-optimized (Table 5), then generically optimized (Table 6), and compared to the Karatsuba Algorithm ([WP06, Appendix]) with the polynomial reduction (Table 7). Using all places of degrees lower than or equal to 6 of F2 (x), one can define a Chudnovsky-type algorithm over the projective line for the multiplication in the extension of degree 54 of F2 . The set P54 then contains all of these places. Considering Q(x) = x54 + x34 + x32 + x31 + x30 + x29 + x27 + x25 + x21 + x18 + x17 + x16 + x15 + x13 + x7 + x4 + x2 + x + 1, we obtain the results of Table 8. Remark 4.2. In this paper, we focused on constructing the matrices that gives the less possible operations when applied canonically. We did not focus on how to compute the multiplication by those matrices. For instance, if a non trivial α appears more than once in a column of a matrix, we can compute the multiplication by α once and for all, thus reducing the number of scalar multiplications. Remark 4.3. This strategy of optimization is specialized to Chudnovsky-type algorithms over the rational function field Fq (x), where the places are fully defined by polynomials over Fq . Nevertheless, one can consider the generalization of this
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
´ STEPHANE BALLET ET AL.
30
Table 5. Non optimized generic Chudnovsky-type algorithms over the projective line Extension μb (U) a(U) min{μ(U)} degree 2 3 [4] 7 3 6 [18, 17] 23 4 11 [44, 44, 43] 54 5 15 [81, 85, 76, 78, 78, 79] 91 6 18 [118, 125, 115, 112, 112, 126, 112, 115, 111] 129 Table 6. Generically optimized Chudnovsky-type algorithms over the projective line Extension degree 2 3 4 5 6
μb (U)
a(U)
min{μ(U)}
3 6 11 15 18
[4] [14, 14] [41, 41, 38] [65, 68, 68, 62, 63, 66] [88, 93, 95, 95, 89, 93, 81, 89, 85]
7 20 49 77 99
Table 7. Karatsuba [WP06] + Reduction Extension degree 2 3 4 5 6
μb (U)
a(U)
min{μ(U)}
3 6 9 15 18
[6] [19, 19] [32, 30, 35] [57, 60, 58, 60, 63, 59] [82, 78, 71, 67, 78, 79, 79, 83, 75]
9 25 49 72 85
Table 8. Comparison of algorithms for the multiplication in F254 Algorithm
μb (U)
a(U)
μ(U)
Our Construction Non optimized Generic optimization
303 303
9849 8400
10152 8703
Karatsuba [WP06]+ Reduction
630
4512
5142
strategy to optimize algorithms over a function field F/Fq of genus g > 0, by using local uniformizers of the places instead of monic irreducible polynomials. Remark 4.4. This work, together with [BBD19, BBD21], are the very first works on the scalar optimization of Chudnovsky-type algorithms, and it reduces significantly the number of algebraic operations used by these algorithms. Concerning
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
OPTIMIZATION OF CHUDNOVSKY ALGORITHMS
31
practical efficiency, this is a first step before being able to explore and realize efficient implementations of the formulae given by the method. It would then be relevant to realize timings of implementations of our algorithms, and possibly to compare it for instance with the specific algorithms over F4 presented by Harvey, Lecerf and van der Hoeven in [HvdHL16]. But this work of comparison with these algorithms is sufficiently important to require a further work of its own. More precisely, it requires to translate the algorithms we obtained in terms of computer instructions, for example using multiplications, additions, but also shifts. Furthermore, it would also be interesting to compare our results with other algorithms of evaluation and interpolation over rational points (other than Karatsuba’s), that are closer to our method, like the Toom-Cook methods optimized by Bodrato [Bod07] and Bodrato and Zanoni in [BZ07]. But even this comparison requires a non-trivial translation of our method, which can only be done later. Acknowledgment The authors are deeply grateful to the anonymous referees for their comments, that helped to improve and complete this article. References St´ ephane Ballet, Quasi-optimal algorithms for multiplication in the extensions of F16 of degree 13, 14 and 15, J. Pure Appl. Algebra 171 (2002), no. 2-3, 149–164, DOI 10.1016/S0022-4049(01)00137-2. MR1904474 [BBD19] St´ephane Ballet, Alexis Bonnecaze, and Thanh-Hung Dang, On the scalar complexity of Chudnovsky2 multiplication algorithm in finite fields, Algebraic informatics, Lecture Notes in Comput. Sci., vol. 11545, Springer, Cham, 2019, pp. 64–75, DOI 10.1007/978-3-030-21363-3 6. MR3976187 [BBD21] St´ephane Ballet, Alexis Bonnecaze, and Thanh-Hung Dang, Optimization of the scalar complexity of Chudnovsky2 multiplication algorithms in finite fields, Cryptogr. Commun. 13 (2021), no. 4, 495–517, DOI 10.1007/s12095-021-00494-y. MR4298229 [BBP20] St´ ephane Ballet, Alexis Bonnecaze, and Bastien Pacifico, Multiplication in finite fields with Chudnovsky-type algorithms on the projective line, 2020, hal-02911546 https://doi.org/10.48550/arxiv.2007.16082. [BCP97] Wieb Bosma, John Cannon, and Catherine Playoust, The Magma algebra system. I. The user language, J. Symbolic Comput. 24 (1997), no. 3-4, 235–265, DOI 10.1006/jsco.1996.0125. Computational algebra and number theory (London, 1993). MR1484478 [BCP+ 21] S. Ballet, J. Pieltant, M. Rambaud, H. Randriambololona, R. Rolland, and J. Chaumine, On the tensor rank of multiplication in finite extensions of finite fields and related issues in algebraic geometry (Russian, with Russian summary), Uspekhi Mat. Nauk 76 (2021), no. 1(457), 31–94, DOI 10.4213/rm9928. MR4223937 [BCS97] Peter B¨ urgisser, Michael Clausen, and M. Amin Shokrollahi, Algebraic complexity theory, Grundlehren der mathematischen Wissenschaften [Fundamental Principles of Mathematical Sciences], vol. 315, Springer-Verlag, Berlin, 1997. With the collaboration of Thomas Lickteig, DOI 10.1007/978-3-662-03338-8. MR1440179 [Bod07] Marco Bodrato, Towards optimal Toom-Cook multiplication for univariate and multivariate polynomials in characteristic 2 and 0, Arithmetic of finite fields, Lecture Notes in Comput. Sci., vol. 4547, Springer, Berlin, 2007, pp. 116–133, DOI 10.1007/978-3540-73074-3 10. MR2373888 [BS91] Ulrich Baum and Mohammad Amin Shokrollahi, An optimal algorithm for multiplication in F256 /F4 , Appl. Algebra Engrg. Comm. Comput. 2 (1991), no. 1, 15–20, DOI 10.1007/BF01810851. MR1209240 [BZ07] Marco Bodrato and Alberto Zanoni, Integer and polynomial multiplication: towards optimal Toom-Cook matrices, ISSAC 2007, ACM, New York, 2007, pp. 17–24, DOI 10.1145/1277548.1277552. MR2396179 [Bal02]
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
32
´ STEPHANE BALLET ET AL.
D. V. Chudnovsky and G. V. Chudnovsky, Algebraic complexities and algebraic curves over finite fields, J. Complexity 4 (1988), no. 4, 285–316, DOI 10.1016/0885064X(88)90012-X. MR974928 [F¨ u09] Martin F¨ urer, Faster integer multiplication, SIAM J. Comput. 39 (2009), no. 3, 979– 1005, DOI 10.1137/070711761. MR2538847 [HvdH19] David Harvey and Joris van der Hoeven, Polynomial multiplication over finite fields in time O(n log n), Journal of the ACM, Volume 69, Issue 2, April 2022, Article No.: 12, pp. 1–40, https://doi.org/10.1145/3505584. [HvdHL16] David Harvey, Joris van der Hoeven, and Gr´ egoire Lecerf, Fast polynomial multiplication over F260 , Proceedings of the 2016 ACM International Symposium on Symbolic and Algebraic Computation, ACM, New York, 2016, pp. 255–262. MR3565722 [Kar63] Anatolii Karatsuba, Multiplication of multidigit number on automata, Soviet Physics Doklady 7 (1963), 595–596. [SS71] A. Sch¨ onhage and V. Strassen, Schnelle Multiplikation grosser Zahlen (German, with English summary), Computing (Arch. Elektron. Rechnen) 7 (1971), 281–292, DOI 10.1007/bf02242355. MR292344 [Sti08] Henning Stichtenoth, Algebraic function fields and codes, 2nd ed., Graduate Texts in Mathematics, vol. 254, Springer-Verlag, Berlin, 2009. MR2464941 [STV92] Igor E. Shparlinski, Michael A. Tsfasman, and Serge G. Vladut, Curves with many points and multiplication in finite fields, Coding theory and algebraic geometry (Luminy, 1991), Lecture Notes in Math., vol. 1518, Springer, Berlin, 1992, pp. 145– 169, DOI 10.1007/BFb0087999. MR1186422 [vzGG03] Joachim von zur Gathen and J¨ urgen Gerhard, Modern computer algebra, 2nd ed., Cambridge University Press, Cambridge, 2003. MR2001757 [WP06] Andre Weimerskirch and Christof Paar, Generalizations of the Karatsuba Algorithm for efficient implementations., IACR Cryptology ePrint Archive. (2006). [CC88]
Institut Math´ ematiques de Marseille, Aix Marseille Univ, CNRS, I2M, Marseille, France Email address: [email protected] Institut Math´ ematiques de Marseille, Aix Marseille Univ, CNRS, I2M, Marseille, France Email address: [email protected] Institut Mat´ ematiques de Marseille, Aix Marseille Univ, CNRS, I2M, Marseille, France Email address: [email protected]
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
Contemporary Mathematics Volume 779, 2022 https://doi.org/10.1090/conm/779/15669
On the constant D(q) defined by Homma Peter Beelen, Maria Montanucci, and Lara Vicino Abstract. Let X be a projective, irreducible, nonsingular algebraic curve over the finite field Fq with q elements and let |X (Fq )| and g(X ) be its number of rational points and genus respectively. The Ihara constant A(q) has been intensively studied during the last decades, and it is defined as the limit superior of |X (Fq )|/g(X ) as the genus of X goes to infinity. In 2012 Homma defined an analogue D(q) of A(q), where the nonsingularity of X is dropped and g(X ) is replaced with the degree of X . We will call D(q) Homma’s constant. In this paper, upper and lower bounds for the value of D(q) are found.
1. Introduction Let p be a prime and let q = pe be a prime power. Let X be a projective, nonsingular, geometrically irreducible curve of genus g. The interaction between the genus g of X and the number |X (Fq )| of its rational points has been subject of intense studies during the last years. It is well known that the Weil bound √ |X (Fq )| ≤ q + 1 + 2g q is not sharp if g is large compared to q. Put (1.1)
Nq (g) := max |X (Fq )|,
where the maximum is taken over all curves X /Fq with genus g. The Ihara constant is defined by Nq (g) . (1.2) A(q) := lim sup g g→∞ This is a measure of the asymptotic behaviour of the number of rational points on curves over Fq when the genus becomes large. Ihara’s constant A(q) has been √ intensively studied during the last decades. For any q, we have A(q) ≤ q − 1 (see √ [4]), and if q is a square we have (see [13, 21]) A(q) = q − 1. For any q, using class field theory, Serre [17] showed that A(q) > c log(q) for some constant c > 0 independent of q. In particular A(q) > 0 for all q. For q = p2m+1 , with m > 0, the currently best-known lower bound is A(q) ≥ 2(1/(pm − 1) + 1/(pm+1 − 1))−1 , see [2]. The exact value of A(q) is however unknown when q is not a square. 2020 Mathematics Subject Classification. Primary 14G15, 14H50; Secondary 11G20, 14H25. Key words and phrases. Algebraic curve, rational point, finite field. The first and second authors were supported by The Danish Council for Independent Research (DFF-FNU), project Correcting on a Curve, Grant No. 8021-00030B. c 2022 American Mathematical Society
33
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
34
PETER BEELEN ET AL.
If the curve X is seen as a projective curve X ⊆ Pn (Fq ) of degree d > 0 and it is not necessarily required to be nonsingular, a different question can be addressed: how large can |X (Fq )| be with respect to d? In a series of papers [10–12] it has been shown that if X is a (possibly reducible) plane curve without Fq -linear components, then (1.3)
|X (Fq )| ≤ (d − 1)q + 1,
except for curves isomorphic over F4 to the curve defined by K : (X + Y + Z)4 + (XY + Y Z + ZX)2 + XY Z(X + Y + Z) = 0, which satisfies |K(F4 )| = 14. The bound (1.3) was originally conjectured by Sziklai [19], and he found that some curves actually achieve this bound. The natural question on whether the bound (1.3) is valid for curves in higher dimensional projective space n ≥ 3 was analyzed by Homma in [9]. There, it is obtained that (1.3) is also true when n ≥ 3 and X has no Fq -linear components, unless d = q = 4 and X is Fq -isomorphic to the plane curve K. In the same paper [9], an analogue of Ihara constant A(q) (1.2) is given when replacing the genus g with the degree d. First, we replace Nq (g) as defined in (1.1), with Mq (d) := max |X (Fq )| where this time the maximum is taken over all irreducible curves of a fixed degree d in a projective space of some dimension over Fq . Here the dimension is not fixed and therefore allowed to be arbitrarily large. Then the analogue of A(q) is defined as (1.4)
D(q) := lim sup d→∞
Mq (d) , d
which measures the asymptotic behavior of the number of rational points of projective curves over Fq when d becomes large. In [9] it was observed that since the bound (1.3) is valid for curves in any projective space Pn (Fq ), n ≥ 2, with the exception already mentioned above, one may conclude that D(q) ≤ q. In the same paper also the lower bound D(q) ≥ A(q)/2 was derived, but the exact value of D(q) remains unknown for all q. In this paper, new upper and lower bounds for the value of D(q), which we from now on will call Homma’s constant, are found by a refinement of Homma’s methods and by using towers of algebraic function fields. Our main results are summarized in the following theorem. Theorem 1.5. Let q = pe be a prime power and let D(q) be Homma’s constant as defined in (1.4). Then (1) D(q) ≤ q − 1, (2) D(q) ≥ 1 provided that q > 2, 2 q −q A(q 2 ) = qq+1 . (3) D(q 2 ) ≥ q+1 Note that the lower bound D(q) ≥ 1 is interesting for small values of q only, since otherwise Homma’s lower bound D(q) ≥ A(q)/2 is better. The values q ≤ 31 for which the lower bound D(q) ≥ 1 is currently the best known are listed in Remark 4.6. The paper is organized as follows. We start by slightly improving Homma’s upper bound on D(q) in Section 2 by refining his argument, thus proving Item 1 of Theorem 1.5. Next we prove Item 2 of Theorem 1.5 in Section 3 by explicitly constructing a sequence of curves whose degrees are close to their number of rational
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
ON THE CONSTANT D(q) DEFINED BY HOMMA
35
points. Finally, the main part of the paper is devoted to proving Item 3 of Theorem 1.5 in the final section. 2. An upper bound for D(q): the proof of Item 1 in Theorem 1.5 The upper bound D(q) ≤ q obtained by Homma in [9, Proposition 5.4] was deduced from the bound (1.3), but in the same paper the following theorem was given. Theorem 2.1 ([9, Theorem 3.2]). Let X be a nondegenerate irreducible curve of degree d in Pn (Fq ). Then |X (Fq )| ≤
(2.2)
(q − 1)(q n+1 − 1) d. q(q n − 1) − n(q − 1)
Here the word nondegenerate means that X is not contained in any hyperplane of Pn (Fq ). At this point, using this result, we are ready to prove Item 1 in Theorem 1.5. Indeed for a fixed value of q, considering equation (2.2) and dividing both sides by d gives (q n+1 − 1) (q − 1)(q − 1) |X (Fq )| q n+1 ≤ = . n n q(q − 1) n(q − 1) d q(q − 1) − n(q − 1) − q n+1 q n+1 n+1
(2.3)
(q − 1)
This observation can be used to improve the upper bound for D(q). Note that by taking the lim supd→∞ Mq (d)/d as in (1.4), we are by definition of D(q) considering curves of increasing degree. However, the dimension of the projective spaces containing the curves will be increasing as d increases. Indeed, if for a family of curves (Xi )i≥0 , with degrees di tending to infinity as i tends to infinity, there exists an n such that for all i, Xi ⊆ Pn , then |Xi (Fq )| ≤ |Pn (Fq )| = (q n+1 − 1)/(q − 1), implying that |Xi (Fq )|/di tends to zero as i tends to infinity. Now let (Xi )i≥0 , be a family of curves with degrees di tending to infinity such that lim supi→∞ |Xi (Fq )|/di > 0. Further assume for each i that Xi is a nondegenerate curve contained in Pni . We have seen that ni tends to infinity as i tends to infinity. But then we obtain from equation (2.3): (q ni +1 − 1) q ni +1 D(q) ≤ lim = q − 1. ni i→∞ q(q − 1) ni (q − 1) − q ni +1 q ni +1 This proves Item 1 of Theorem 1.5. (q − 1)
3. A lower bound for D(q): the proof of Item 2 in Theorem 1.5 For a prime power q = pe strictly larger than two, consider the tower of function fields T = (Tm )m≥1 over Fq defined recursively as T1 = Fq (x1 )
and
Ti+1 = Ti (xi+1 )
with
q−1 xq−1 . i+1 = −1 + (xi + 1)
The tower T is similar to an asymptotically good tower considered in [18, Proposition 7.3.3], but the variation we consider is actually not asymptotically good. It is not hard to see that the place of T1 corresponding to the zero of x1 is totally ramified
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
36
PETER BEELEN ET AL.
q−1 in the tower. In particular, the equation xq−1 is absolutely irrei+1 = −1 + (xi + 1) ducible when viewed as a polynomial in Ti [xi+1 ]. This implies in particular that the +1−(x1 +1)q−1 , . . . , xq−1 +1−(x−1 +1)q−1 ⊆ Fq [x1 , . . . , x ] is a ideal I := xq−1 2 prime ideal. Since we want to deal with projective curves, the following proposition is essential.
Proposition 3.1. Let > 1 be an integer and define I := xq−1 + z q−1 − 2 q−1 q−1 q−1 q−1 (x1 + z) , . . . , x + z − (x−1 + z) ⊆ Fq [x1 , . . . , x , z]. Then I is a + homogeneous prime ideal and the homogenization of the prime ideal I := xq−1 2 q−1 1 − (x1 + 1)q−1 , . . . , xq−1 + 1 − (x + 1) ⊆ F [x , . . . , x ]. −1 q 1 q−1 Proof. For convenience, let us write gi := xq−1 and gi := i+1 + 1 − (xi + 1) We have already seen that the ideal I is a prime ideal. Now let >deglex denote the degree-lexicographic ordering with x >deglex . . . >deglex x1 as a monomial order in Fq [x1 , . . . , x ]. Since under this monomial ordering the leading obner basis of I . Then terms of the gi are co-prime, the set {g1 , . . . , g−1 } is a Gr¨ } is a Gr¨obner basis for the homogenization from [3, §8.4, Theorem 4] {g1 , . . . , g−1 of I . Hence I is the homogenization of the prime ideal I and in particular I is a homogeneous prime ideal. q−1 xq−1 −(xi +z)q−1 . i+1 +z
Now consider the projective curve X ⊂ P defined over Fq given by the homogeneous equations (3.2)
q−1 + (xi + z)q−1 xq−1 i+1 = −z
for i = 1, . . . , − 1.
Proposition 3.1 implies that X ⊂ P is indeed an irreducible projective curve. It actually implies that X is a complete intersection, which in turn implies that ) = (q − 1)−1 . deg(X ) = deg(g1 ) · · · deg(g−1 Now we consider the number of Fq -rational points on X . To estimate this number, we consider the number of projective points [x1 : x2 : · · · : x : 0] satisfying equation (3.2). Substituting z = 0 in equation (3.2), we obtain that q−1 xq−1 i+1 = xi
for i = 1, . . . , − 1.
Choosing x1 = 1, we see that any solution is defined over Fq and that there are exactly (q − 1)−1 points at the infinity on X . In particular, |X (Fq )| ≥ (q − 1)−1 . Hence |X (Fq )| (q − 1)−1 ≥ = 1. D(q) ≥ lim sup (q − 1)−1 →∞ deg(X ) This completes the proof of Item 2 of Theorem 1.5. 4. A lower bound for D(q 2 ): the proof of Item 3 in Theorem 1.5 In order to prove Item 3 in Theorem 1.5 we use a tower of function fields over Fq2 constructed recursively by Garcia and Stichtenoth in [6] as follows: F1 = Fq2 (x1 )
and
Fi+1 = Fi (xi+1 )
with
xqi+1 + xi+1 =
xqi . xq−1 +1 i
This tower is optimal in the sense that if N1 (Fi ) denotes the number of rational places and g(Fi ) the genus of Fi , then limm→∞ N1 (Fm )/g(Fm ) = q − 1 = A(q 2 ). Indeed, any zero of the function x1 −α in F1 for α ∈ Fq2 \{α | αq +α = 0} splits completely in the extension Fm /F1 , implying that N1 (Fm ) ≥ (q − 1)q m . Moreover,
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
ON THE CONSTANT D(q) DEFINED BY HOMMA
37
in [6, Remark 3.8], the genus g(Fm ) of Fm is computed for all m ≥ 1. It is given by if m ≡ 0 (mod 2), (q m/2 − 1)2 g(Fm ) = m+1 m−1 (q 2 − 1)(q 2 − 1) if m ≡ 1 (mod 2). Hence optimality of the tower follows. For computing the genus g(Fm ), it is proven that the pole P∞ of x1 ∈ F1 is totally ramified in all extensions Fm /F1 , m ≥ 2, see (m) also [15, Proposition 1.1]. We denote by P∞ the unique extension of P∞ in Fm . (m) Note that P∞ is a rational place, since P∞ is totally ramified in Fm /F1 . Even though it is in general a difficult challenge to compute the Weierstrass semigroups at places in a tower, Pellikaan, Stichtenoth, and Torres [15] computed (m) the Weierstrass semigroup at P∞ for all m ≥ 1. The nice property proven by the (m) authors in [15] is that the semigroups at P∞ can be computed from the one at (m−1) P∞ , following a recursive procedure. Indeed from [15, Theorem 3.1] if m = 1 Z≥0 (m) (4.1) H(P∞ ) = (m−1) qH(P∞ ) ∪ Z≥cm if m > 1 (m) where cm := q m − q 2 is the conductor of H(P∞ ). (m) Let {γ1 , . . . , γ } be a set of generators of H(P∞ ), so that m
(m) ) = γ1 , . . . , γ , H(P∞
and 0 < γ1 < · · · < γ . Note that equation (4.1) implies that γ1 = q m−1 , being the (m) (m) smallest positive element of H(P∞ ). This implies that H(P∞ ) ∩ Z 2, since then Homma’s lower bound D(q) ≥ A(q)/2 is weaker. The following table provides for those small values of q the best known lower bound for A(q)/2. For all other values of q, except possibly when q is a prime, A(q) ≥ 2.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
ON THE CONSTANT D(q) DEFINED BY HOMMA
39
q A(q)/2 ≥ reference 3 0.2464 [5] 0.5 [13, 21] 4 0.3636 [1, 20] 5 0.4615 [8] 7 8 0.75 [22] 0.5714 [8] 11 0.6 [14] 13 0.8 [14] 17 19 0.8 [8] 0.9230 [8] 23 0.9523 [8] 29 0.9523 [8] 31
References [1] Bruno Angles and Christian Maire, A note on tamely ramified towers of global function fields, Finite Fields Appl. 8 (2002), no. 2, 207–215, DOI 10.1006/ffta.2000.0336. MR1894514 [2] Alp Bassa, Peter Beelen, Arnaldo Garcia, and Henning Stichtenoth, Towers of function fields over non-prime finite fields (English, with English and Russian summaries), Mosc. Math. J. 15 (2015), no. 1, 1–29, 181, DOI 10.17323/1609-4514-2015-15-1-1-29. MR3427409 [3] David Cox, John Little, and Donal O’Shea, Ideals, varieties, and algorithms: An introduction to computational algebraic geometry and commutative algebra, Undergraduate Texts in Mathematics, Springer-Verlag, New York, 1992, DOI 10.1007/978-1-4757-2181-2. MR1189133 [4] S. G. Vl` eduts and V. G. Drinfeld, The number of points of an algebraic curve (Russian), Funktsional. Anal. i Prilozhen. 17 (1983), no. 1, 68–69. MR695100 [5] Iwan Duursma and Kit-Ho Mak, On lower bounds for the Ihara constants A(2) and A(3), Compos. Math. 149 (2013), no. 7, 1108–1128, DOI 10.1112/S0010437X12000796. MR3078640 [6] Arnaldo Garcia and Henning Stichtenoth, On the asymptotic behaviour of some towers of function fields over finite fields, J. Number Theory 61 (1996), no. 2, 248–273, DOI 10.1006/jnth.1996.0147. MR1423052 [7] David M. Goldschmidt, Algebraic functions and projective curves, Graduate Texts in Mathematics, vol. 215, Springer-Verlag, New York, 2003, DOI 10.1007/b97844. MR1934359 [8] L. L. Hall-Seelig, New lower bounds for the Ihara function A(q) for small primes, J. Number Theory 133 (2013), no. 10, 3319–3324, DOI 10.1016/j.jnt.2013.04.002. MR3071814 [9] Masaaki Homma, A bound on the number of points of a curve in a projective space over a finite field, Theory and applications of finite fields, Contemp. Math., vol. 579, Amer. Math. Soc., Providence, RI, 2012, pp. 103–110, DOI 10.1090/conm/579/11523. MR2975736 [10] Masaaki Homma and Seon Jeong Kim, Around Sziklai’s conjecture on the number of points of a plane curve over a finite field, Finite Fields Appl. 15 (2009), no. 4, 468–474, DOI 10.1016/j.ffa.2009.02.008. MR2535590 [11] Masaaki Homma and Seon Jeong Kim, Sziklai’s conjecture on the number of points of a plane curve over a finite field II, Finite fields: theory and applications, Contemp. Math., vol. 518, Amer. Math. Soc., Providence, RI, 2010, pp. 225–234, DOI 10.1090/conm/518/10208. MR2648551 [12] Masaaki Homma and Seon Jeong Kim, Sziklai’s conjecture on the number of points of a plane curve over a finite field III, Finite Fields Appl. 16 (2010), no. 5, 315–319, DOI 10.1016/j.ffa.2010.05.001. MR2678619 [13] Yasutaka Ihara, Some remarks on the number of rational points of algebraic curves over finite fields, J. Fac. Sci. Univ. Tokyo Sect. IA Math. 28 (1981), no. 3, 721–724 (1982). MR656048 [14] Wen-Ching W. Li and Hiren Maharaj, Coverings of curves with asymptotically many rational points, J. Number Theory 96 (2002), no. 2, 232–256. MR1932454 [15] Ruud Pellikaan, Henning Stichtenoth, and Fernando Torres, Weierstrass semigroups in an asymptotically good tower of function fields, Finite Fields Appl. 4 (1998), no. 4, 381–392, DOI 10.1006/ffta.1998.0217. MR1648573
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
40
PETER BEELEN ET AL.
[16] Keith Saints and Chris Heegard, Algebraic-geometric codes and multidimensional cyclic codes: a unified theory and algorithms for decoding using Gr¨ obner bases, IEEE Trans. Inform. Theory 41 (1995), no. 6, 1733–1751, DOI 10.1109/18.476246. Special issue on algebraic geometry codes. MR1391032 [17] Jean-Pierre Serre, Sur le nombre des points rationnels d’une courbe alg´ ebrique sur un corps fini (French, with English summary), C. R. Acad. Sci. Paris S´er. I Math. 296 (1983), no. 9, 397–402. MR703906 [18] Henning Stichtenoth, Algebraic function fields and codes, 2nd ed., Graduate Texts in Mathematics, vol. 254, Springer-Verlag, Berlin, 2009. MR2464941 [19] Peter Sziklai, A bound on the number of points of a plane curve, Finite Fields Appl. 14 (2008), no. 1, 41–43, DOI 10.1016/j.ffa.2007.09.004. MR2381474 [20] Alexandre Temkine, Hilbert class field towers of function fields over finite fields and lower bounds for A(q), J. Number Theory 87 (2001), no. 2, 189–210, DOI 10.1006/jnth.2000.2596. MR1824142 [21] M. A. Tsfasman, S. G. Vl˘ adut¸, and Th. Zink, Modular curves, Shimura curves, and Goppa codes, better than Varshamov-Gilbert bound, Math. Nachr. 109 (1982), 21–28, DOI 10.1002/mana.19821090103. MR705893 [22] Th. Zink, Degeneration of Shimura surfaces and a problem in coding theory, Fundamentals of computation theory (Cottbus, 1985), Lecture Notes in Comput. Sci., vol. 199, Springer, Berlin, 1985, pp. 503–511, DOI 10.1007/BFb0028834. MR821267 Department of Applied Mathematics and Computer Science, Technical University of Denmark, Kongens Lyngby 2800, Denmark Email address: [email protected] Department of Applied Mathematics and Computer Science, Technical University of Denmark, Kongens Lyngby 2800, Denmark Email address: [email protected] Department of Applied Mathematics and Computer Science, Technical University of Denmark, Kongens Lyngby 2800, Denmark Email address: [email protected]
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
Contemporary Mathematics Volume 779, 2022 https://doi.org/10.1090/conm/779/15670
How big is the image of the Galois representations attached to CM elliptic curves? Francesco Campagna and Riccardo Pengo Abstract. Using an analogue of Serre’s open image theorem for elliptic curves with complex multiplication, one can associate to each CM elliptic curve E defined over a number field F a natural number I(E/F ) which describes how big the image of the Galois representation associated to E is. We show how one can compute I(E/F ), using a closed formula that we obtain from the classical theory of complex multiplication.
1. Introduction Fix an algebraic closure Q of the field of rational numbers Q. Let E be an elliptic curve defined over a number field F ⊆ Q, and let: (1.1)
ρE : GF → AutZ (Etors )
be the representation of the absolute Galois group GF := Gal(F /F ) associated to its action on the torsion points Etors := E(F )tors of the elliptic curve E. If E does not have complex multiplication (CM), i.e. EndF (E) ∼ = Z, Serre’s open image theorem [17, Th´eor`eme 3] implies that the index: I(E/F ) := |AutZ (Etors ) : ρE (GF )| is finite. One is naturally led to investigate the dependence of I(E/F ) on E and F . For instance, one can ask whether there exists an explicit, closed formula for I(E/F ), whose terms can be effectively computed starting from a Weierstraß equation of E. At the time of writing, and to the best of the authors’ knowledge, no such formula is available in the literature. The previous question can then be weakened, by asking whether there exists an upper bound for I(E/F ), which can be effectively computed in terms of E. An affirmative answer to this second question has been provided by Lombardo in [12]. In fact, it has even been conjectured that there should exist such an upper bound which does not depend on E, but only on 2020 Mathematics Subject Classification. Primary 11G05, 14K22, 11F80, 11G15; Secondary 11Y40. Key words and phrases. Elliptic curves, Complex multiplication, Galois representations. The first author was supported by ANR-20-CE40-0003 Jinvariant. Moreover, he wishes to thank the Max Planck Institute for Mathematics in Bonn for its financial support, great work conditions and an inspiring atmosphere. The second author performed this work within the framework of the LABEX MILYON (ANR-10-LABX-0070) of Universit´e de Lyon, within the program “Investissements d’Avenir” (ANR-11-IDEX-0007) operated by the French National Research Agency (ANR). Both authors thank the IRN GANDA for support. c 2022 Copyright by the authors
41
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
42
FRANCESCO CAMPAGNA AND RICCARDO PENGO
the field of definition F . This conjecture is explicitly mentioned for F = Q in the introduction to the recent work of Rouse, Sutherland and Zureick-Brown [16], and is known to hold true under the assumption of Serre’s uniformity conjecture, by previous work of Zywina (see [26, Theorem 1.4]). On the other hand, if E has complex multiplication by an order O in an imaginary quadratic field K, i.e. EndF (E) ∼ = O, the index of the image of ρE inside AutZ (Etors ) is infinite. Nevertheless, as we recall in Section 2, one can formulate an analogue of Serre’s open image theorem for E, by replacing AutZ (Etors ) with a smaller subgroup G(E/F ) ⊆ AutZ (Etors ), explicitly defined in (2.4), which is closed and of infinite index inside AutZ (Etors ). As a consequence, the index: I(E/F ) := |G(E/F ) : ρE (GF )| is finite, and, as above, one can ask whether it can be expressed by means of an explicit and closed formula. The main goal of this paper is to show how to use the classical theory of complex multiplication to give the following affirmative answer to this question. Theorem 1.1. Let O be an order in an imaginary quadratic field K ⊆ Q. Let E be an elliptic curve that has complex multiplication by O and is defined over a number field F ⊆ Q. Denote by K ab ⊆ Q the maximal abelian extension of K contained in Q, and by F K ⊆ Q and F K ab ⊆ Q the composita of F with K and K ab respectively. Then: (1.2)
I(E/F ) = [(F K) ∩ K ab : HO ] ·
|O× | [F (Etors ) : F K ab ]
where HO ⊆ K ab is the ring class field of K relative to the order O (see [9, § 9]), and F (Etors ) ⊆ Q is the field obtained by adjoining to F all the coordinates of all the points lying in Etors . Note that the right-hand side of (1.2) makes sense because the field extension K ⊆ HO is abelian, and, whenever EndF (E) ∼ = O, one knows that F K ab ⊆ F (Etors ) [5, § 4.1 and Remark 3.8], and HO = K(j(E)) ⊆ F K [9, Theorem 11.1], where j(E) ∈ F denotes the j-invariant of the elliptic curve E. Moreover, the classical theory of complex multiplication implies that the degree of the field extension F K ab ⊆ F (Etors ) is finite and divides |O× |. We explain this in more detail in Section 3, which is mainly devoted to the proof of Theorem 1.1. As an immediate consequence of Theorem 1.1, one has the divisibility: (1.3) I(E/F ) [(F K) ∩ K ab : HO ] · |O× | which shows that I(E/F ) can be bounded solely in terms of F , for every CM elliptic curve E/F . This improves the upper bounds for I(E/F ) previously proved by Lombardo [13, Theorem 6.6] and Bourdon and Clark [3, Corollary 1.5]. Moreover, Theorem 1.1 applied to any elliptic curve E/Q which has complex multiplication by an imaginary quadratic order O shows that I(E/Q) = |O× |. In the case O = Z[i], this strengthens the conclusion of [14, Theorem 1.3]. The foregoing discussion shows that I(E/F ) is very well understood in the CM case. However, it may not appear immediately clear how to apply (1.2) to compute I(E/F ) in concrete examples. We explain how to do so in Section 4. In fact, after rewriting (1.2) appropriately (see Proposition 4.1), we obtain an algorithm that takes as inputs a number field F and a CM elliptic curve E/F , and outputs
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
HOW BIG IS THE IMAGE OF CM GALOIS REPRESENTATIONS?
43
I(E/F ). More precisely, we rephrase Equation (1.2) in terms of a finite extension L ⊇ F K such that F (Etors ) = LK ab . We prove in Proposition 4.2 that one can always take L = F (E[I]) to be the I-division field generated by the coordinates of the points P ∈ E[I] belonging to the I-torsion subgroup: [α]E ker E(F ) −−−→ E(F ) E[I] := α∈I
where I ⊆ O is any ideal such that |Z/(I ∩ Z)| > max(2, |O× |/2), and the map: ∼
[·]E : O − → EndF (E) is the normalised isomorphism described in Lemma 2.1. In practice, if j(E) = 0 one usually takes L = F (E[3]) in order to ease the computational burden. We devote Section 5 to the application of this algorithm to some explicit examples of elliptic curves E that have complex multiplication by imaginary quadratic orders O of class number two. 2. Analogues of Serre’s open image theorem for CM elliptic curves Let E be an elliptic curve defined over a number field F ⊆ Q. Then, the absolute Galois group GF naturally acts both on the set Etors = limN E[N ], and −→ on the adelic Tate module T (E) := limN E[N ]. The first action gives rise to the ←− Galois representation ρE appearing in (1.1), whereas the action on T (E) induces another Galois representation E : GF → AutZ (T (E)). As done in [17, § 4.1, Remarque (1)], one can construct an isomorphism: ∼
→ AutZ (Etors ) = AutZ (Etors ) ν : AutZ (T (E)) − such that ρE = ν ◦ E . As a consequence, one can indifferently study the Galois representation ρE , as done in this paper, or its twin E , as done in some of our references. If E does not have complex multiplication, i.e. if EndF (E) ∼ = EndF (E) ∼ = Z, then the celebrated “open image theorem”, proved by Serre in [17, Th´eor`eme 3], shows that the image of the Galois representation ρE is a subgroup of finite in where Z := lim (Z/N Z) denotes the profinite dex inside AutZ (Etors ) ∼ = GL2 (Z), ←−N completion of Z. On the other hand, if the elliptic curve E has complex multiplication, the image of ρE is not open inside AutZ (Etors ). However, one can formulate a CM analogue of Serre’s open image theorem by replacing AutZ (Etors ) with an appropriate closed subgroup G(E/F ) ⊆ AutZ (Etors ), which we now describe. Suppose now that EndF (E) ∼ Z. Then the endomorphism ring EndF (E) can = be canonically identified with an order inside an imaginary quadratic field, as the following classical lemma shows. Lemma 2.1. Let F be a number field, and E/F be an elliptic curve such that Z, where F denotes a fixed algebraic closure of F . Then, there exists EndF (E) ∼ = an imaginary quadratic field K and an order O ⊆ K such that EndF (E) ∼ = O. Moreover, for each embedding ι : K → F , there exists a unique isomorphism: ∼
→ EndF (E) [·]E,ι : O − such that [α]∗E,ι (ω) = ι(α) · ω for every α ∈ O and every invariant differential ω defined over EF , where [α]∗E,ι (ω) denotes the pull-back of ω along the endomorphism [α]E,ι .
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
44
FRANCESCO CAMPAGNA AND RICCARDO PENGO
Proof. See [21, Chapter III, Corollary 9.4] for the existence of K and O. Moreover, the existence of [·]E,ι follows from [20, Chapter II, Proposition 1.1], after fixing an embedding F → C. Finally, observe that for any two isomorphisms ∼ ∼ [·], [·] : O − → EndF (E), there exists an automorphism σ : O − → O with the property that [α] = [σ(α)] for every α ∈ O. Hence, if these isomorphisms satisfy the requirements of the lemma, we see that ι(α − σ(α)) · ω = 0 for every α ∈ O and every invariant differential ω. Thus, we have that σ = IdO , which allows us to conclude. Now, suppose at first that E/F is an elliptic curve with the property that EndF (E) ∼ = EndF (E) ∼ = O for some order O inside an imaginary quadratic field K. Then by [19, Chapter II, Proposition 30] we necessarily have K ⊆ F and one can easily show (using for instance [20, Chapter II, Theorem 2.2]) that the absolute Galois group GF of F acts as O-module automorphisms on Etors . Thus, we have: (2.1)
ρE (GF ) ⊆ AutO (Etors ) =: G(E/F )
× , the unit group where G(E/F ) is an abelian group canonically isomorphic to O := lim (O/N O). In particular, the field extension of the profinite completion O ←−N F ⊆ F (Etors ) is abelian. Note also that AutO (Etors ) is closed inside AutZ (Etors ), since we have: AutO (Etors ) = res−1 N (AutO (E[N ])) N ∈N
where resN : AutZ (Etors ) → AutZ (E[N ]) denotes the natural restriction map. On because the other hand, AutO (Etors ) is not open inside AutZ (Etors ) ∼ = GL2 (Z), the latter does not contain any abelian subgroup of finite index. However, the subgroup ρE (GF ) is open in AutO (Etors ), as shown in [17, § 4.5] using the classical × is a profinite group, theorems of complex multiplication. Since AutO (Etors ) ∼ =O this in particular implies that the index of ρE (GF ) inside AutO (Etors ) is finite. We can regard this result as an analogue of Serre’s open image theorem for those CM elliptic curves whose field of definition contains the field K. Assume now that the elliptic curve E/F has the properties that EndF (E) ∼ =Z and EndF (E) ∼ O, for some order O inside an imaginary quadratic field K. Again = by [19, Chapter II, Proposition 30], under these assumptions we must have K ⊆ F . Since not all the geometric endomorphisms of E are defined over the base field, in this case the Galois group GF does not respect the O-module structure on Etors . More precisely, since we fixed an embedding O ⊆ K ⊆ Q = F , there exists a unique ∼ → EndF (E) such that for every α ∈ O and every invariant isomorphism [·]E : O − differential ω on the elliptic curve EF , the equality [α]∗E (ω) = αω holds. Then an automorphism σ ∈ GF acts on [α]E (P ) as: (2.2)
σ ([α]E (P )) = [σ(α)]E (σ(P ))
as follows from [20, Chapter II, Theorem 2.2]. We then see that for every σ ∈ GF and each fixed τ ∈ GF restricting to the unique non-trivial element in Gal(F K/F ), exactly one among σ and στ acts O-linearly on Etors . We deduce that: (2.3)
ρE (GF ) ⊆ AutO (Etors ), ρE (τ ) := G(E/F )
and one can easily show that the group G(E/F ) does not actually depend on τ , thus justifying the notation. Indeed, if both τ, τ ∈ GF restrict to the unique nontrivial element of Gal(F K/F ), one has that τ τ ∈ Gal(F /F K). This implies that
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
HOW BIG IS THE IMAGE OF CM GALOIS REPRESENTATIONS?
45
ρE (τ τ ) ∈ AutO (Etors ), which gives AutO (Etors ), ρE (τ ) = AutO (Etors ), ρE (τ ) as wanted. Moreover, ρE (τ ) normalises AutO (Etors ), as follows from (2.2) and the fact that ρE (τ )2 ∈ AutO (Etors ). Hence, we see that AutO (Etors ) is a normal subgroup of G(E/F ) with index |G(E/F ) : AutO (Etors )| = 2. As a consequence, G(E/F ) is closed inside AutZ (Etors ), and so it is a profinite group. On the other hand, G(E/F ) is not open inside AutZ (Etors ), because it contains the abelian group AutO (Etors ) as a finite-index subgroup. Thus, ρE (GF ) cannot be open inside AutZ (Etors ). Nevertheless, ρE (GF ) is open inside the closed subgroup G(E/F ), as the following lemma shows. Lemma 2.2. Let E/F be an elliptic curve with complex multiplication by an order O in an imaginary quadratic field K ⊆ F , and let E := EF K denote the base-change of E to the compositum F K. Then ρE (GF ) is open in G(E/F ), and the following equality: I(E/F ) := |G(E/F ) : ρE (GF )| = |AutO (Etors ) : ρE (GF K )| =: I(E/F K)
holds. Proof. Since AutO (Etors ) is closed and of finite index in G(E/F ), it is also open in the same group. Moreover, the subgroup ρE (GF K ) ⊆ AutO (Etors ) is open by [17, § 4.5, Corollaire], and clearly the equalities ρE (GF K ) = ρE (GF K ) and ) = AutO (Etors ) hold. Thus we see that ρE (GF K ) is an open subgroup AutO (Etors of ρE (GF ) and we conclude that the latter is open in G(E/F ). In particular, ρE (GF ) is a closed subgroup of finite index inside G(E/F ). To prove the equality of indices, we use the fact that F K ⊆ F (Etors ), by [4, Lemma 3.15]. Since ρE induces an injective map Gal(F (Etors )/F ) → G(E/F ), we have |ρE (GF ) : ρE (GF K )| = 2. Now, the computation: 1 |G(E/F ) : ρE (GF )| = |G(E/F ) : ρE (GF K )| = |AutO (Etors ) : ρE (GF K )| 2 allows us to conclude. We summarise our discussion so far. Given a number field F and an elliptic curve E/F with complex multiplication by an order O in an imaginary quadratic field K, we define, following (2.1) and (2.3): AutO (Etors ) if K ⊆ F, (2.4) G(E/F ) := AutO (Etors ), ρE (τ ) if K ⊆ F where, if K ⊆ F , we let τ ∈ GF be any automorphism that restricts to the unique non-trivial element of Gal(F K/F ). Then, in the previous discussion, we have shown that G(E/F ) is a profinite group, which contains ρE (GF ) as an open subgroup. Moreover, if we define the CM index I(E/F ) to be: (2.5)
I(E/F ) := |G(E/F ) : ρE (GF )|
then by Lemma 2.2 we have that I(E/F ) = I(E/F K) is finite. 3. A formula for the index The aim of this section is to provide a proof of Theorem 1.1. We place ourselves in the setting of the theorem, by fixing an order O inside an imaginary quadratic field K ⊆ Q and an elliptic curve E which has complex multiplication by O and is defined over a number field F ⊆ Q. We explained in Lemma 2.2 that the equality
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
46
FRANCESCO CAMPAGNA AND RICCARDO PENGO
I(E/F ) = I(E/F K) holds true, hence we will assume without loss of generality that K ⊆ F . This in particular implies that HO ⊆ F , where, as in Theorem 1.1, HO denotes the ring class field of K relative to the order O. The formula (1.2) appearing in Theorem 1.1 is a byproduct of the first main theorem of complex multiplication (see [11, Chapter 10, Theorem 8]). The latter × asserts the existence of a unique continuous group homomorphism μ : A× F → K × such that, for every s ∈ AF and every complex uniformisation ξ : C E(C) with Λ := ker(ξ) ⊆ K, the following diagram: K/Λ
(μ(s) NF /K (s−1 ))·
K/Λ
ξ
ξ
Etors
[s,F ]
Etors
× commutes. Here NF/K : A× F → AK denotes the idelic norm map, whereas the ab notation [·, F ] : A× F Gal(F /F ) stands for the global Artin map, and the upper horizontal arrow is given by the idelic multiplication map (see [11, Page 100]). In particular, the action of the id`ele μ(s) NF/K (s−1 ) ∈ A× K on the set of lattices contained in K, described in [11, Chapter 8, Theorem 10], fixes Λ. Since Λ is an invertible fractional ideal of O, this implies that μ(s) NF/K (s−1 ) fixes also O. × ⊆ A× . Hence, Thus, the finite id`ele (μ(s) NF/K (s−1 ))fin lies in the subgroup O K −1 the association s → (μ(s) NF/K (s ))fin defines a continuous group homomorphism × θE : A× F → O , which makes the following diagram:
× O
θE
∼
(3.1)
[·,F ]
A× F
F (Etors )
ρE
Gal(F (Etors )/F )
AutO (Etors )
commute. We are now ready to prove Theorem 1.1. Proof of Theorem 1.1. Define ψE to be the group homomorphism: × ψE : AutO (Etors ) ∼ =O
aO
Gal(K ab /HO )
× Gal(K ab /HO ) is the composition of the natural embedding where aO : O × × ab −1 O → AK with the map A× , K]. It is easy to show that K GK given by s → [s ψE fits in a short exact sequence: (3.2)
ψE
1 → AutF (E) → AutO (Etors ) −−→ Gal(K ab /HO ) → 1
× = K × ∩ O × = O× . Then, we can form the because ker(aO ) = ker([·, K]) ∩ O following square: Gal(F (Etors )/F )
ρE
AutO (Etors )
(3.3)
ψE
Gal(K ab /F ∩ K ab )
ι
Gal(K ab /HO )
where the map on the left is defined by the composition: ∼
→ Gal(K ab /F ∩ K ab ) Gal(F (Etors )/F ) Gal(F K ab /F ) −
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
HOW BIG IS THE IMAGE OF CM GALOIS REPRESENTATIONS?
47
of a restriction map and a natural isomorphism coming from Galois theory. We claim that (3.3) commutes. Indeed, extending (3.3) by diagram (3.1) gives the following square: [·,F ]
(3.4)
A× F
× O
θE
aO
K ab
Gal(K ab /F ∩ K ab )
ι
Gal(K ab /HO )
which commutes because, for every s ∈ A× F , one has:
aO (θE (s)) = [(μ(s) · NF/K (s−1 ))−1 , K] = [NF/K (s), K] = ι([s, F ]K ab )
using the fact that K × · (K ⊗Q R)× ⊆ ker([·, K]), as explained in [1, Chapter IX, Theorem 3], and the functoriality of class field theory [15, Chapter VI, Proposition 5.2]. Thus (3.3) commutes, because (3.4) does, and the vertical maps in the commutative diagram (3.1) are surjective. Now, (3.2) and (3.3) induce the following commutative diagram: Gal(F (Etors )/F K ab ) (3.5)
ι
AutF (E)
Gal(K ab /F ∩ K ab )
Gal(F (Etors )/F ) ρE
AutO (Etors )
(3.3) ψE
ι
Gal(K ab /HO )
whose rows are exact. This shows in particular that the degree of the extension F K ab ⊆ F (Etors ) is finite and divides |AutF (E)| = |O× |. Finally, we have: I(E/F ) = |coker(ρE )| = |coker(ι)| · |coker(ι )| = [F ∩ K ab : HO ] ·
|O× | [F (Etors ) : F K ab ]
by the snake lemma, which allows us to conclude.
An immediate consequence of Theorem 1.1 is the following improvement of the bounds provided by [13, Theorem 6.6] and [3, Corollary 1.5]. Corollary 3.1. Let O be an order inside an imaginary quadratic field K. For every number field F ⊆ Q, and every elliptic curve E/F with complex multiplication by O, the index I(E/F ) divides [(F K) ∩ K ab : HO ] · |O× |. Moreover, Theorem 1.1 can be rephrased in a simpler fashion, if one assumes that |O× | = 2, which holds for every order O of discriminant ΔO < −4. Corollary 3.2. Let O be an order inside an imaginary quadratic field K, and suppose that ΔO < −4. Let E be an elliptic curve with complex multiplication by O, defined over a number field F ⊆ Q. Then, the following equality: 2, if F (Etors ) = F K ab I(E/F ) = (3.6) ab [(F K) ∩ K : HO ] 1, otherwise holds. The dichotomy provided by (3.6) reflects a property of CM elliptic curves introduced by Shimura in [18, Pages 216-218], and studied in [5, § 5]. In particular, Corollary 3.2 generalises [5, Corollary 5.8], which was proved by different means.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
48
FRANCESCO CAMPAGNA AND RICCARDO PENGO
Remark 3.3. Setting F = Q(j(E)) in Theorem 1.1 we see that I(E/F ) ∈ {1, |O× |}. However, this does not allow to describe explicitly the image ρE (GF ) as since the latter can vary amongst infinitely a subgroup of AutZ (Etors ) ∼ = GL2 (Z), many possible subgroups, as it happens already for F = Q (see [5, Theorem 6.3]). GL2 (Z ) On the other hand, the image of ρE (GF ) under the projections GL2 (Z) for ∈ N a prime, belongs, up to conjugation, to a finite list of subgroups which has been explicitly determined by Lozano-Robledo [14]. To conclude this section, we observe that Theorem 1.1 implies that the index I(E/F ) is invariant under appropriate twisting of the elliptic curve E, as specified by the following corollary. Corollary 3.4. Let O be an order inside an imaginary quadratic field K, and set d := |O× |. Let E/F be an elliptic curve defined over a number field F ⊆ Q such that EndF (E) ∼ by = O. Suppose that E is the twist of another elliptic curve E/F √ √ × ab d d α, for some α ∈ F such that L := F ( α) ⊆ F K . Then I(E/F ) = I(E /F ). Proof. First of all, note that the extension F ⊆ L is well defined, because K ⊆ F by the hypothesis EndF (E) ∼ = O, and thus the group of d-th roots of unity O× is also contained in F . Then, one has: (3.7)
ρE (σ) = ρE (σ) · χα (σ)
× and ρE : GF → G(E /F ) ∼ × for every σ ∈ GF , where ρE : GF → G(E/F ) ∼ =O =O are the Galois representations associated to E and E . Moreover, the map: × χα : G F → O × ⊆ O is the Kummer character attached to the extension F ⊆ L.√In particular, √ for every σ ∈ GF the unit χα (σ) ∈ O× is defined by the equality σ( d α) = χα (σ) · d α. Now, for every σ ∈ Gal(Q/LF (Etors )), we have that ρE (σ) = χα (σ) = 1, ) hence (3.7) implies that ρE (σ) = 1. Thus, the inclusion F (Etors ) ⊆ LF (Etors ab holds. On the other hand, if τ ∈ Gal(Q/F (Etors )), the hypothesis L ⊆ F K and the inclusion F K ab ⊆ F (Etors ) imply that τ fixes L. Therefore ρE (τ ) = χα (τ ) = 1, and (3.7) gives that ρE (τ ) = 1. Hence, the opposite inclusion LF (Etors ) ⊆ F (Etors ) holds. Thus, we have that F (Etors ) = LF (Etors ) = F (Etors ), where the last equality ). Finally, follows from the hypothesis L ⊆ F K ab and the inclusion F K ab ⊆ F (Etors using Theorem 1.1, one gets that I(E/F ) = I(E /F ), as we wanted to prove. 4. How to compute the index in practice In this section we show how one can concretely compute the index I(E/F ) for any given CM elliptic curve E defined over a number field F . Thanks to Lemma 2.2, we can and will assume throughout this section, without loss of generality, that the number field F contains the CM field K. The starting point of our discussion is the formula (1.2) provided by Theorem 1.1. Let us observe that (1.2), albeit completely explicit, involves the degree of the finite extension F K ab ⊆ F (Etors ) which a priori can not be implemented in a computer, because F K ab is an infinite algebraic extension of Q. Nevertheless, the following result shows how one can rewrite (1.2) as an equality involving only finite abelian groups and number fields.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
HOW BIG IS THE IMAGE OF CM GALOIS REPRESENTATIONS?
49
Proposition 4.1. Let O be an order inside an imaginary quadratic field K ⊆ Q. Fix a number field F ⊆ Q and an elliptic curve E/F such that EndF (E) ∼ = O. Then, we have: (4.1)
I(E/F ) =
|O× | · [L ∩ K ab : K] |Pic(O)| · [L : F ]
for every finite extension F ⊆ L such that F (Etors ) = LK ab is the compositum of L and K ab inside Q. Proof. Combining Theorem 1.1 with the equality: [F (Etors ) : F K ab ] = [LK ab : F K ab ] =
[L : F ][F ∩ K ab : K] [L : F ] = [L ∩ K ab : F ∩ K ab ] [L ∩ K ab : K]
allows us to conclude, because [F ∩ K ab : K] = [F ∩ K ab : HO ] · |Pic(O)|.
Using Proposition 4.1, we can now reduce the computation of I(E/F ) to the following steps: S.1 compute |O× | and |Pic(O)|; S.2 find a finite extension F ⊆ L such that F (Etors ) = LK ab , and compute [L : F ]; S.3 compute [L ∩ K ab : K], i.e. the degree of the maximal abelian subextension of K ⊆ L. To achieve S.1 one can use for instance the algorithms described in [7, § 5.3] for × the computation of |Pic(O)|, √ and the fact that |O | = 2 unless O = Z[i], for which |O× | = 4, or O = Z 1+ 2 −3 , for which |O× | = 6. Moreover, once S.2 has been carried out, and the extension F ⊆ L is known, one can deal with the last step S.3 in (at least) two different ways: • one can use the isomorphism: (4.2)
Gal(L ∩ K ab /K) ∼ = Gal(L /K)ab where K ⊆ L ⊆ L denotes the maximal sub-extension of K ⊆ L which is Galois over K, and the notation S ab stands for the abelianization of a finite group S (i.e. its maximal abelian quotient). In order to compute the right hand side of (4.2), note that, if G := Gal(L/K) denotes the Galois group of the extension K ⊆ L, and H G ⊆ G denotes the of the Galois closure L normal closure of the subgroup H := Gal(L/L) inside G, then we have Gal(L /K) ∼ = G/H G . Since both G and H can be computed as subgroups of the symmetric group Sn on n = [L : K] letters (see [7, § 6.3]), the abelian group (G/H G )ab can also be explicitly computed, for instance using the functions NormalClosure and MaximalAbelianQuotient in GAP [10]; • one can compute [L ∩ K ab : K] as the index |Clm (K) : Tm (L/K)| of the norm group Tm (L/K) inside the ray class group Clm (K) modulo the relative discriminant m := δL/K of K ⊆ L (see [15, Chapter VI, § 7]). This norm group Tm (L/K) can be computed using an adaptation of [8, Algorithm 4.4.5] to the non-Galois case. More precisely:
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
50
FRANCESCO CAMPAGNA AND RICCARDO PENGO
– in the fourth step of the aforementioned algorithm, one can proceed even if the polynomials Tj do not have the same degree, by taking as f the greatest common divisor of their degrees. Indeed, Tm (L/K) is by definition generated by the classes of pf (P/p) , where p := P ∩ OK and P varies amongst the prime ideals of OL coprime with m · OL , and the inertia degrees f (P/p) correspond exactly to the degrees of the polynomials Tj mentioned above; – in the second step of the same algorithm, one should always output the matrix M even if det(M ) = [L : K]. In fact, det(M ) will be precisely the index of the norm group inside Clm (K), i.e. one has that [L ∩ K ab : K] = det(M ). Note that this modification does indeed work (assuming the validity of the Generalised Riemann Hypothesis), because Tm (L/K) = Tm (L ∩ K ab /K) by [1, Chapter XIV, Theorem 7]. Thus, in order to have a complete procedure for the computation of the CM index I(E/F ), we only need to prove that one can always find a finite extension F ⊆ L such that F (Etors ) = LK ab as in S.2 . The next proposition shows that one can take L to be essentially any division field. Proposition 4.2. Let O be an order inside an imaginary quadratic field K and let E/F be an elliptic curve defined over a number field F ⊆ Q such that EndF (E) ∼ = O. Fix an ideal I ⊆ O and let L := F (E[I]) be the I-division field associated to E. Then F (Etors ) = LK ab whenever |Z/(I ∩ Z)| > 2 if j(E) = 0, and |Z/(I ∩ Z)| > 3 otherwise. Proof. The inclusion LK ab ⊆ F (Etors ) is clear, and the other containment can be proved as in [5, Proposition 5.7]. More precisely, fix an embedding Q → C and a complex uniformisation ξ : C E(C), such that ker(ξ) = Λ for some lattice Λ ⊆ K. Then [18, Theorem 5.4] shows that, for every field automorphism σ : C → C which fixes F K ab , there exists a complex uniformisation ξ : C E(C) such that σ(ξ(z)) = ξ (z) for every z ∈ K. This implies in particular that there exists ε ∈ O× such that σ(P ) = [ε]E (P ) for every P ∈ Etors . If now σ fixes also the division field L = F (E[I]), one must have ε = 1 by our assumptions on I. We conclude that σ fixes the entire F (Etors ), which in turn implies that F (Etors ) ⊆ LK ab as we wanted to show. Using Proposition 4.2, we see that S.1 , S.2 and S.3 indeed describe a procedure to compute the index I(E/F ) for any CM elliptic curve defined over any number field F . In practice, in S.2 it is convenient to choose a “small” division field L = F (E[I]), for instance by using I = 3O (when j(E) = 0), which gives with j(E ) = j(E) [L : F ] ≤ 8. However, if one already knows an elliptic curve E/F and such that F (Etors ) = F K ab , then the subsequent Proposition 4.3, whose proof is analogous to that of Corollary 3.4, shows that one can take L to be a Kummer extension of F with degree [L : F ] ≤ |O× | ≤ 6. Since computations involving division fields of elliptic curves are typically hard, taking such an L is certainly more advantageous in this situation. Proposition 4.3. Let O be an order inside an imaginary quadratic field K, and set d := |O× |. Let E/F be an elliptic curve defined over a number field F ⊆ Q such that EndF (E) ∼ such = O. Suppose that there exists another elliptic curve E/F
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
HOW BIG IS THE IMAGE OF CM GALOIS REPRESENTATIONS? that F (Etors ) = F K ab , and that E is √ the twist of E by ab d Then F (Etors ) = LK , where L = F ( α).
√ d
51
α, for some α ∈ F × .
)), we see from the twisting formula (3.7) that Proof. If σ ∈ Gal(Q/LF (Etors ). Vice versa, if one has ρE (σ) = χα (σ) = ρE (σ) = 1, hence F (Etors ) ⊆ LF (Etors τ ∈ Gal(Q/F (Etors )) then ρE (τ ) = 1 and ρE (τ ) = χα (τ −1 ) ∈ O× . However, (3.5) ) = F K ab by assumption. Hence shows that ρE (GF ) ∩ O× = {1}, because F (Etors ) = LK ab , as we wanted. ρE (τ ) = χα (τ ) = 1, which gives F (Etors ) = LF (Etors ) = F K ab is invariant under Remark 4.4. Note that the condition F (Etors base change along a finite extension F ⊆ F . In particular, if Pic(O) = {1}, one can take as E any base change to F of an elliptic curve E/K which has complex multiplication by O. On the other hand, if Pic(O) = {1}, constructing such an elliptic curve is a non-trivial matter, as we will see in the next section.
5. Explicit examples We now want to provide some examples of index computations for CM elliptic curves E defined over the corresponding field of moduli Q(j(E)). A way of constructing such curves is to consider an elliptic curve E defined over the function field Q(j), with j-invariant j(E) = j and discriminant ΔE ∈ Q(j), and then specialise the parameter to j = j0 for some CM j-invariant j0 ∈ Q such that ΔE (j0 ) = 0. When we want to emphasize that the specialization at j0 of the elliptic curve E has complex multiplication by some order O, we say that j0 ∈ Q is relative to the order O. With a view towards doing explicit calculations in the mostly popular computer algebra systems in computational number theory, we consider and compare the following choices of E: (1) the curve: ESAGE : y 2 = x3 + (−3j 2 + 5184j)x − 2j 3 + 6912j 2 − 5971968j implemented under the command EllipticCurve from j(j,False) in the software SageMath [24]. We warn the reader that, without setting the second optional parameter equal to False, the command EllipticCurve from j, applied to a rational number j0 ∈ Q, returns an elliptic curve E/Q which has j-invariant j(E) = j0 , and minimal conductor among all its twists. This curve, in general, can be different from the specialization of ESAGE at j = j0 ; (2) the curve: EPARI : y 2 = x3 + (−3j 2 + 5184j)x + 2j 3 − 6912j 2 + 5971968j implemented under the command ellfromj(j) in the software PARI/GP [23]; (3) the curve: EMAGMA : y 2 + xy = x3 −
1 36 x− j − 1728 j − 1728
implemented under the command EllipticCurveFromjInvariant(j) in the software MAGMA [2]. The above families are clearly all defined over Q(j), and their singular specializations occur only at the values j0 ∈ {0, 1728}. Moreover, it is easily verified that
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
52
FRANCESCO CAMPAGNA AND RICCARDO PENGO
EPARI and ESAGE are isomorphic over Q(j, isomorphic over Q j, 1728−j . 3
√
−1) while ESAGE and EMAGMA are
Now, for every CM j-invariant j0 ∈ Q relative to an order of class number 2, we want to compute the index I(Ej0 /Q(j0 )) where Ej0 is the fiber over j0 in any of the three families described above (one can check that all these fibers are non-singular). First of all, we show that for every CM invariant j0 ∈ Q the CM fibers Ej0 in the above families have the same index I(Ej0 /Q(j0 )). Fix now a CM j-invariant j0 ∈ Q \ {0, 1728} relative to an order O. Let moreover (Ej0 , Ej 0 , Ej0 ) be the specialisations of the families (ESAGE , EPARI , EMAGMA ) to j = j0 . If HO = K(j0 ) denotes the ring class field relative to the order O then by Lemma 2.2 we have I(Ej0 /Q(j0 )) = I(Ej0 /HO ) and similarly with the other two elliptic curves, so we assume that everything is base-changed to the ring class field. Since by the discussion above Ej0 and Ej 0 are twisted over HO by α = −1 √ and HO ( −1) ⊆ K ab (being the compositum of two abelian extensions of K), Corollary 3.4 allows us to conclude that I(Ej0 /Q(j0 )) = I(Ej 0 /Q(j0 )). Furthermore, the elliptic curve EMAGMA admits a short Weierstraß form: 27j 54j 2 3 y =x − x+ j − 1728 j − 1728 whose discriminant is given by Δj := 612 · j 2 /(j − 1728)3 . Thus, we see that: HO ( j0 − 1728) = HO (
Δj0 ) ⊆ HO (Ej0 [2])
for every CM j-invariant j0 ∈ Q, relative to the order O. Since HO (Ej0 [2]) is points, we have generated over HO by the Weber functions evaluated at 2-torsion
ab that HO (Ej0 [2]) ⊆ K (see [5, Theorem 4.7]). Thus HO (1728 − j0 )/3 is abelian over K, and Corollary 3.4 shows that I(Ej0 /Q(j0 )) = I(Ej0 /Q(j0 )). Hence, we can conclude that the three families EPARI , ESAGE and EMAGMA , when specialised to the same CM j-invariant, have the same CM index. We will use in the rest of the paper, the elliptic curves Ej0 obtained by specialising the family ESAGE . Note that, once the imaginary quadratic order O is fixed, the index I(Ej0 /Q(j0 )) does not depend on the particular j-invariant j0 ∈ Q relative to O to which one specializes the family ESAGE , because all these j-invariants are conjugate under the action of the absolute Galois group Gal(Q/Q) (see [9, Proposition 13.2]). Let us turn now to the computation of the index I(Ej0 /Q(j0 )), where we take j0 ∈ Q to be a CM j-invariant relative to an order of class number 2. The procedure described in Section 4 simplifies considerably √ in this case. Indeed, in general, for any imaginary quadratic order O = Z 1+ 2 −3 and any elliptic curve E with complex multiplication by O and defined over the ring class field HO , one has that: 2 (5.1) I(E/HO ) = [HO (E[3]) : HO (E[3]) ∩ K ab ] as one can see by combining Proposition 4.1 and Proposition 4.2. Moreover, since: 1, if the extension K ⊆ HO (E[3]) is abelian; ab [HO (E[3]) : HO (E[3]) ∩ K ] = 2, otherwise (as follows from (5.1)), we see, using Lemma 2.2, that the computation of I(Ej0 /Q(j0 )) reduces to understanding whether or not the 3-division field of Ej0 is an abelian extension of
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
HOW BIG IS THE IMAGE OF CM GALOIS REPRESENTATIONS?
53
K. We implemented this computation in SageMath (importing also the functions polredbest and rnfisabelian from Pari/Gp), as shown in Algorithm 5.1. We ran this algorithm for all the j-invariants relative to orders O of class number 2, whose discriminants ΔO are given by the following list: ΔO ∈ { − 15, −20, −24, −32, −35, −36, −40, −48, −51, −52, − 60, −64, −72, −75, −88, −91, −99, −100, −112, −115, − 123, −147, −148, −187, −232, −235, −267, −403, −427} which can be obtained either by applying the algorithms described in [25], and implemented under the function discriminants with bounded class number of the SageMath module sage.schemes.elliptic curves.cm, or by appealing to the classical result [22, Theorem 1], and then applying the class number formula [9, Theorem 7.24]. The results of this computation show that I(Ej0 /Q(j0 )) = 1 )) = 2. unless ΔO = −15, in which case I(Ej0 /Q(j0√ To conclude, consider the order O = Z[ −5] of discriminant ΔO = −20, such that I(Ej0 /Q(j0 )) = 1 for every CM j-invariant j0 ∈ Q relative to O. We now construct, by a suitable twist of E := Ej0 over the Hilbert class field H := HO , with complex multiplication by O, with the property another elliptic curve E/H √ that I(E /H) = 2. To do so, we specialize j0 = 282880 5 + 632000, so that
Algorithm 5.1. SageMath code to compute the index I(Ej0 /Q(j0 )), relative to the elliptic curve Ej0 obtained by specialising the family ESAGE to a CM j-invariant j0 . Input: Delta = ΔO , the discriminant of an imaginary quadratic order O. from sage.libs.pari.convert sage import gen to sage R. = PolynomialRing(QQ) K. = NumberField(xˆ2−Delta) F. = K.extension(hilbert class polynomial(Delta)) E = EllipticCurve from j(j,F) Fabs. = NumberField(gen to sage(pari(F.absolute polynomial()).polredbest(), {’x’ : x})) Eabs = E.base extend(F.embeddings(Fabs)[0]) F3. = Eabs.division field(3) F3best. = NumberField(gen to sage(pari(F3.absolute polynomial()).polredbest(), {’x’ : x})) F3rel. = F3best.relativize(K.embeddings(F3best)[0]) if F3rel.is galois relative() == True: Index = gp.rnfisabelian(pari(’yˆ2 + ’+str(−Delta)).nfinit(),pari(F3rel.relative polynomial())) + 1 else: Index = 1
Output: Index = I(Ej0 /Q(j0 )), for any CM j-invariant j0 relative to O
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
54
FRANCESCO CAMPAGNA AND RICCARDO PENGO
E := Ej0 is given by: (5.2)
√ E : y 2 = x3 + 29736960(36023 5 − 80550)x √ − 55826186240(16154216 5 + 36121925)
and we follow the procedure described in the √ proof of [5, Theorem 5.11]. More precisely, observe that H = Q( −5, i) √ and the ideal 3 · O factors as √ 3 · O = p3 · p3 , where p3 = (3, −5 + 1) and p3 = (3, −5 − 1). By [5, Theorem 4.6] one has that Hp3 = Hp3 = H, where Hp3 and Hp3 denote respectively the ray class fields of K modulo p3 and p3 . This in particular implies, using [20, Chapter II, Theorem 5.6], that the x-coordinates of the points P ∈ E[p3 ] ∪ E[p3 ] lie in H. Moreover, it follows from [3, Lemma 2.4] that |E[p3 ]| = |E[p3 ]| = 3, which shows that each non-trivial p3 -torsion point has the same x-coordinate, and similarly for non-trivial p3 -torsion points. From the factorization: √ √ φE,3 (x) = 3·(x + 594880 + 59840i − 26048 −5 + 266816 5)· √ √ (x + 594880 − 59840i + 26048 −5 + 266816 5)· √ √ (x2 − (1189760 + 533632 5)x − 2668089262080 − 1193205432320 5) of the 3-division polynomial φE,3 ∈ H[x], one can verify that the number: √ √ x3 := −594880 − 59840i + 26048 −5 − 266816 5 is the x-coordinate √ of all the non-trivial p3 -torsion points. Hence we have that H(E[p3 ]) = H( α), where the number: √ √ α := 13956546560 · (1190435 + 2307955i − 1032149 −5 + 532379 5) is obtained by substituting√x3 in the right hand side of (5.2). It can be checked that the extension K ⊆ H( α) is not Galois, and in particular not abelian, which is compatible with the fact that I(E/Q(j0 )) = 1. Thus, the twisted elliptic curve E := E (α) , given by the global minimal Weierstraß model:
√ √ √ √ 1 + i + −5 + 5 1 − i + −5 + 5 2 xy − y= E :y − 2 2 (5.3)
√ = x3 + x2 + 2i − 5 x − 1 + 2i has index I(E /H) = 2, as follows from (5.1). Indeed, the first point of [5, Proposition 5.1] implies that H(E [p3 ]) = Hp3 , which entails that H(E [3]) coincides with the 3-ray class field of K, as can also be checked by direct computation. Note finally ) = K ab , as follows from Corollary 3.2. that H(Etors Remark 5.1. The interested reader can find at [6] a SageMath notebook in which we implemented the computations carried out to find the elliptic curve E appearing in (5.3). Acknowledgments We would like to thank Fran¸cois Brunault, Ian Kiming, Fabien Pazuki and Peter Stevenhagen for many useful discussions. We also thank the anonymous referees for their helpful comments and suggestions.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
HOW BIG IS THE IMAGE OF CM GALOIS REPRESENTATIONS?
55
References [1] E. Artin and J. Tate, Class field theory, W. A. Benjamin, Inc., New York-Amsterdam, 1968. MR0223335 [2] Wieb Bosma, John Cannon, and Catherine Playoust, The Magma algebra system. I. The user language, J. Symbolic Comput. 24 (1997), no. 3-4, 235–265, DOI 10.1006/jsco.1996.0125. Computational algebra and number theory (London, 1993). MR1484478 [3] Abbey Bourdon and Pete L. Clark, Torsion points and Galois representations on CM elliptic curves, Pacific J. Math. 305 (2020), no. 1, 43–88, DOI 10.2140/pjm.2020.305.43. MR4077686 [4] Abbey Bourdon, Pete L. Clark, and James Stankewicz, Torsion points on CM elliptic curves over real number fields, Trans. Amer. Math. Soc. 369 (2017), no. 12, 8457–8496, DOI 10.1090/tran/6905. MR3710632 [5] Francesco Campagna and Riccardo Pengo, Entanglement in the family of division fields of elliptic curves with complex multiplication, To appear in Pacific Journal of Mathematics. [6] Francesco Campagna and Riccardo Pengo, Finding explicitly a CM elliptic curve with small Galois image, SageMath notebook, available at: https://bit.ly/3oyzOOb. [7] Henri Cohen, A course in computational algebraic number theory, Graduate Texts in Mathematics, vol. 138, Springer-Verlag, Berlin, 1993, DOI 10.1007/978-3-662-02945-9. MR1228206 [8] Henri Cohen, Advanced topics in computational number theory, Graduate Texts in Mathematics, vol. 193, Springer-Verlag, New York, 2000, DOI 10.1007/978-1-4419-8489-0. MR1728313 [9] David A. Cox, Primes of the form x2 + ny 2 , 2nd ed., Pure and Applied Mathematics (Hoboken), John Wiley & Sons, Inc., Hoboken, NJ, 2013. Fermat, class field theory, and complex multiplication, DOI 10.1002/9781118400722. MR3236783 [10] The GAP Group, GAP – Groups, Algorithms, and Programming, 2021, Version 4.11.1. [11] Serge Lang, Elliptic functions, 2nd ed., Graduate Texts in Mathematics, vol. 112, SpringerVerlag, New York, 1987. With an appendix by J. Tate, DOI 10.1007/978-1-4612-4752-4. MR890960 [12] Davide Lombardo, Bounds for Serre’s open image theorem for elliptic curves over number fields, Algebra Number Theory 9 (2015), no. 10, 2347–2395, DOI 10.2140/ant.2015.9.2347. MR3437765 [13] Davide Lombardo, Galois representations attached to abelian varieties of CM type (English, with English and French summaries), Bull. Soc. Math. France 145 (2017), no. 3, 469–501, DOI 10.24033/bsmf.2745. MR3766118 ´ [14] Alvaro Lozano-Robledo, Galois representations attached to elliptic curves with complex multiplication, To appear in Algebra & Number Theory. [15] J¨ urgen Neukirch, Algebraic number theory, Grundlehren der mathematischen Wissenschaften [Fundamental Principles of Mathematical Sciences], vol. 322, Springer-Verlag, Berlin, 1999. Translated from the 1992 German original and with a note by Norbert Schappacher; With a foreword by G. Harder, DOI 10.1007/978-3-662-03983-0. MR1697859 [16] Jeremy Rouse, Andrew V. Sutherland, and David Zureick-Brown, -adic images of Galois for elliptic curves over Q, 2021, arXiv:2106.11141. [17] Jean-Pierre Serre, Propri´ et´ es galoisiennes des points d’ordre fini des courbes elliptiques (French), Invent. Math. 15 (1972), no. 4, 259–331, DOI 10.1007/BF01405086. MR387283 [18] Goro Shimura, Introduction to the arithmetic theory of automorphic functions, Publications of the Mathematical Society of Japan, vol. 11, Princeton University Press, Princeton, NJ, 1994. Reprint of the 1971 original; Kanˆ o Memorial Lectures, 1. MR1291394 [19] Goro Shimura, Abelian varieties with complex multiplication and modular functions, Princeton Mathematical Series, vol. 46, Princeton University Press, Princeton, NJ, 1998, DOI 10.1515/9781400883943. MR1492449 [20] Joseph H. Silverman, Advanced topics in the arithmetic of elliptic curves, Graduate Texts in Mathematics, vol. 151, Springer-Verlag, New York, 1994, DOI 10.1007/978-1-4612-0851-8. MR1312368 [21] Joseph H. Silverman, The arithmetic of elliptic curves, 2nd ed., Graduate Texts in Mathematics, vol. 106, Springer, Dordrecht, 2009, DOI 10.1007/978-0-387-09494-6. MR2514094 [22] H. M. Stark, On complex quadratic fields wth class-number two, Math. Comp. 29 (1975), 289–302, DOI 10.2307/2005481. MR369313 [23] The PARI Group, PARI/GP version 2.11.2, Univ. Bordeaux, 2019. [24] The Sage Developers, Sagemath, the Sage Mathematics Software System (Version 9.0), 2020.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
56
FRANCESCO CAMPAGNA AND RICCARDO PENGO
[25] Mark Watkins, Class numbers of imaginary quadratic fields, Math. Comp. 73 (2004), no. 246, 907–938, DOI 10.1090/S0025-5718-03-01517-5. MR2031415 [26] David Zywina, Possible indices for the Galois image of elliptic curves over Q, 2015, arXiv:1508.07663. Max Planck Institute for Mathematics, Vivatsgasse 7, 53111 Bonn, Germany Email address: [email protected] ´ ´rieure de Lyon, Unite ´ de Math´ Ecole normale supe ematiques Pures et Appliqu´ ees, ´e d’Italie, 69007 Lyon, France 46 alle Email address: [email protected]
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
Contemporary Mathematics Volume 779, 2022 https://doi.org/10.1090/conm/779/15671
Multiradical isogenies Wouter Castryck and Thomas Decru Abstract. We argue that for all integers N ≥ 2 and g ≥ 1 there exist “multiradical” isogeny formulae, that can be iteratively applied to compute (N k , . . . , N k )-isogenies between principally polarized g-dimensional abelian varieties, for any value of k ≥ 2. The formulae are complete: each iteration involves the extraction of g(g +1)/2 different N th roots, whence the epithet multiradical, and by varying which roots are chosen one computes all N g(g+1)/2 extensions to an (N k , . . . , N k )-isogeny of the incoming (N k−1 , . . . , N k−1 )isogeny. Our group-theoretic argumentation is heuristic, but it is supported by concrete formulae for several prominent families. As our main application, we illustrate the use of multiradical isogenies by implementing a hash function from (3, 3)-isogenies between Jacobians of superspecial genus-2 curves, showing that it outperforms its (2, 2)-counterpart by an asymptotic factor ≈ 9 in terms of speed.
1. Introduction In a previous joint work with Vercauteren [10], we introduced the concept of radical isogenies between elliptic curves, which in low degree allow for a very fast computation of isogeny chains over finite fields, e.g., of the type used in Charles, Goren and Lauter’s hash function [12] and in the Couveignes–Rostovtsev–Stolbunov key exchange protocol [14, 42] and its descendant CSIDH [11]. The central observation was that for any integer N ≥ 2 there exist explicit formulae which, upon input of an elliptic curve E — say given in long Weierstrass form — over a perfect field K with char K N and a point P ∈ E of order N , produce the coordinates of an order-N point P ∈ E = E/P such that the isogeny ϕ : E → E /P cyclically extends ϕ : E → E/P . This, of course, assumes that we have a defining equation for E at hand, such as the one provided by V´elu [45]. Moreover, the formulae can be chosen to enjoy the following properties. (1) Radicality. The formulae are algebraic expressions in the coefficients of √ E, the coordinates of P and a radical N r1 , where r1 is itself an algebraic expression in these coefficients and coordinates. √ (2) Completeness. By varying the N th root chosen, i.e., by scaling N r1 with powers of a primitive N th root of unity ζN ∈ K, we obtain generators 2020 Mathematics Subject Classification. Primary 14G50, Secondary 14K02, 14H40. This work was supported by the Research Council KU Leuven grant C14/18/067, by CyberSecurity Research Flanders with reference code VR20192203, and by the Research Foundation Flanders (FWO) through the WOG Coding Theory and Cryptography. c 2022 American Mathematical Society
57
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
58
WOUTER CASTRYCK AND THOMAS DECRU
for all N subgroups G ⊆ E of order N which are such that E → E /G cyclically extends ϕ. (3) Good reduction. The formulae are naturally defined over Z[1/N ], i.e., they work over any perfect field K with char K N . (The last property is in fact conjectural [10, Conj. 1].) Concrete versions of our radical isogeny formulae for N = 2, . . . , 13 can be found in the GitHub repository that accompanies [10]. For the sake of illustration, we have included the details of the case N = 5 in Section 4. The current paper studies how radical isogenies generalize to principally polarized (p.p.) abelian varieties of any given dimension g ≥ 1. That is, we are looking for formulae which, upon input of a g-dimensional p.p. abelian variety A over a perfect field K with char K N and points P1 , . . . , Pg ∈ A that generate an (N, . . . , N )-subgroup1 G ⊆ A, produce the coordinates of points P1 , . . . , Pg ∈ A = A/G generating an (N, . . . , N )-subgroup G ⊆ A such that the composition A → A = A/G → A /G is an (N 2 , . . . , N 2 )-isogeny. When aiming for universally applicable formulae, a major bottleneck is the lack of an analogue of the long Weierstrass form for p.p. abelian varieties of dimension g ≥ 2. That is, we do not know of a set of defining equations from which every g-dimensional p.p. abelian variety A can be obtained by specializing coefficients. Moreover, in practical applications, we are mostly interested in instances of A that are described in a more implicit form, e.g., as the Jacobian of some genus-g curve, or as a product of Jacobians of lower-genus curves. Things are complicated further by the fact that the isogenous p.p. abelian variety A may be of a different type, e.g., if A is a Jacobian, then this may not be the case for A . We therefore focus on smaller families, parametrized by the points s of some quasi-affine set S. Concretely, we assume to have algebraic formulae at our disposal which can be evaluated at the coordinates of any point s ∈ S, each time producing a g-dimensional p.p. abelian variety As together with points Ps,1 , . . . , Ps,g that generate an (N, . . . , N )-subgroup Gs ⊆ As . We furthermore assume that the family comes equipped with V´elu-like formulae providing an explicit description of the isogenous p.p. abelian variety As = As /Gs . Several examples of such families can be found in Section 4 and Section 5. Conjecture 1. Under the above assumptions, there always exist accompa , . . . , Ps,g ∈ As nying formulae which, when evaluated at s, produce points Ps,1 generating a subgroup Gs ⊆ As such that the composition As → As → As /Gs is an (N 2 , . . . , N 2 )-isogeny. Moreover, these formulae can be chosen to enjoy the following properties: (1) Multiradicality. They are algebraic expressions in the coordinates of s √ √ and radicals N r1 , . . . , N rg(g+1)/2 , where in turn the radicands ri are algebraic expressions in the coordinates of s. (2) Completeness. By varying the N th roots chosen, i.e., by scaling them with powers of ζN ∈ K, we obtain generating sets for all N g(g+1)/2 subgroups Gs ⊆ As such that As → As = As /Gs → As /Gs is an (N 2 , . . . , N 2 )isogeny.
1 See
Section 2.2 for a definition.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
MULTIRADICAL ISOGENIES
59
(3) Good reduction. If the family S is defined over Z[1/M ] for some multiple M of N , then so are our formulae, i.e., they work over any perfect field K with char K M . Formulae of the above kind will be called multiradical isogeny formulae. We refer to Section 3 for a more extensive discussion of Conjecture 1, where we will provide a group-theoretic heuristic argument in favor of the existence of multiradical isogeny formulae. However, we stress that each of the above subclaims remains conjectural. We will also discuss an addendum to Conjecture 1, namely that one can always take the radicands r1 , . . . , rg(g+1)/2 to be representants of the Tate pairings tN (Ps,i , Ps,j ), 1 ≤ i ≤ j ≤ g, in the sense of Frey and R¨ uck [24], as soon as these are well-defined. Further support comes from concrete examples of multiradical isogeny formulae, which are discussed in Section 4 and Section 5. For arbitrary N and in arbitrary dimension g, we discuss fully split (N, . . . , N )-isogenies from g-fold products of elliptic curves. Other examples focus on Jacobians of genus-2 curves, where we discuss non-split (2, 2)-isogenies (also known as Richelot isogenies) and non-split (3, 3)-isogenies as described by Bruin, Flynn and Testa [5]. We also study the multiradical nature of certain (5, 5)-isogenies that were described by Flynn [21]. Remark 1.1. Our eventual goal is the computation of (N k , . . . , N k )-isogenies, for arbitrary k ≥ 2, achieved by an iterated application of our formulae. However, it is possible, and unavoidable in general, that the isogenous p.p. abelian variety , . . . , Ps,g does not belong to our family. For instance, if S As marked with Ps,1 parametrizes Jacobians of genus-2 curves, we may run into a product of elliptic curves. In such cases, one needs to resort to different sets of multiradical isogeny formulae in order to cover the entire isogeny chain. We illustrate the use of multiradical isogenies in Section 6, by constructing a Charles–Goren–Lauter style hash function from (3, 3)-isogenies between superspecial p.p. abelian surfaces over a large quadratic finite field Fp2 , similar to the (2, 2)-construction from our joint work with Smith [9]. In short, each message determines a walk in the isogeny graph (which is of size about p3 /2880), and the hash of the message is the end point of that walk. One should make sure that every two consecutive isogenies compose to a (9, 9)-isogeny, to avoid the trivial collisions described in [22, §2.3]. This is automatically taken care of when using multiradical isogeny formulae. In the Richelot hash function from [9], a (2, 2)-isogeny costs about 3 square root computations, with very little overhead, and can be used to process 3 bits of the message. In our case, the cost of a (3, 3)-isogeny is dominated by the extraction of 3 cube roots, and now it can be used to process 3 trits (i.e., base-3 digits) of the message. Moreover, if p ≡ ±1 mod 9 then p2 ≡ 1 mod 9 and computing cube roots in Fp2 is faster than computing square roots (see Section 6.4). Altogether, this leads to an expected speed-up by a factor 9, roughly. However, a noticeable difference with [9] is that chaining multiradical (3, 3)-isogenies comes with some non-negligible overhead; our current implementation even involves three small Gr¨ obner basis computations. Despite this overhead, the (3, 3)-hash function outperforms the Richelot hash function as soon as the field characteristic p is of cryptographic size (i.e., 86 bits or more). The asymptotic speed-up factor ≈ 9 becomes visible when p is about 21024 .
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
60
WOUTER CASTRYCK AND THOMAS DECRU
Two conventions. For any integer N ≥ 2 we denote the ring (or the additive group) of integers modulo N by ZN ; we thereby follow computer science customs.2 Also, throughout this paper, we always identify a variety over a perfect field K with its set of K-points equipped with the natural Gal(K/K)-action. 2. Background We discuss some of the material needed for what follows, but we stress that this is not a complete overview. Our main goal is to fix notation and highlight some statements that may be known to specialists but that we did not manage to pinpoint in the existing literature, such as Lemma 2.1, Example 2.2 and Lemma 2.3. For general background on abelian varieties and isogenies we refer to [34, 35]. 2.1. Generalized symplectic bases. We consider abelian varieties A of dimension g ≥ 1 over a perfect field K with algebraic closure K, and we always assume that A comes equipped with a principal polarization. Important examples of g-dimensional principally polarized (p.p.) abelian varieties are Jacobians of smooth projective curves C/K of genus g. Every p.p. abelian variety of dimension ≤ 3 is K-isomorphic to a product of Jacobians. For each integer N ≥ 2 with char K N , the N -torsion subgroup A[N ] can be shown to be free of rank 2g over ZN . The principal polarization induces a perfect bilinear and antisymmetric pairing ∗
eN : A[N ] × A[N ] → μN ⊆ K , known as the Weil pairing. After fixing a primitive N th root of unity ζN ∈ μN , the Weil pairing turns into a symplectic form: ·, ·N : A[N ] × A[N ] → ZN : (P, Q) → logζN eN (P, Q). Thus A[N ] admits a symplectic basis, i.e., a ZN -basis P1 , . . . , Pg , Q1 , . . . , Qg satisfying Pi , Pj N = Qi , Qj N = 0 and Pi , Qj N = δij for all i, j ∈ {1, . . . , g}. This allows us to view A[N ] as Z2g N equipped with the standard symplectic pairing 0 Ig 2g 2g T Ω= . ·, · : ZN × ZN : (v, w) → v Ωw, −Ig 0 Changing between symplectic bases is done using matrices from the symplectic group Sp2g (ZN ) = {M ∈ GL2g (ZN ) | M T ΩM = Ω}. Note that the notion of a symplectic basis of A[N ] depends on the choice of ζN . If a basis is symplectic with respect to some choice of ζN , then we call it a generalized symplectic basis. The matrices of base change between generalized symplectic bases are now taken from the larger group (2.1)
GSp2g (ZN ) = {M ∈ GL2g (ZN ) | M T ΩM = d(M )Ω for a d(M ) ∈ Z∗N },
which is known as the generalized symplectic group (its elements are often referred to as symplectic similitudes). An N -level structure on A is an isomorphism α : A[N ] → Z2g N such that α−1 (1, 0, . . . , 0), α−1 (0, 1, . . . , 0), . . . , α−1 (0, 0, . . . , 1) is a generalized symplectic basis of A[N ]. 2 Most pure mathematicians prefer the notation Z/N Z, especially when N is a prime number p (or a power thereof) in order to avoid confusion with p-adic rings. Our paper is free of p-adic numbers, so such confusion should not be possible.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
MULTIRADICAL ISOGENIES
61
2.2. Good chains of (N, . . . , N )-isogenies. A subgroup G ⊆ A[N ] is called isotropic if P, QN = 0 for all P, Q ∈ G. Note that this notion does not depend on the choice of ζN . It is called maximal isotropic if moreover there is no supergroup G G that is isotropic. This property ensures that the isogenous abelian variety A = A/G comes naturally equipped with a principal polarization. The subgroup is said to be an (N, . . . , N )-subgroup ! "# $ g times
if it is a (necessarily maximal) isotropic free ZN -submodule of rank g, i.e., an isotropic subgroup isomorphic to ZgN . In that case, we say that the quotient isogeny ϕ : A → A is an (N, . . . , N )-isogeny. Given an (N, . . . , N )-isogeny ϕ : A → A , we say that an (N, . . . , N )-isogeny ϕ : A → A is a good extension of ϕ if the composition ϕ
ϕ
A → A → A is an (N 2 , . . . , N 2 )-isogeny. According to the lemma below, of which special cases can be found in [22, §2.2], there are N g(g+1)/2 subgroups of A [N ] that give rise to good extensions. The group ϕ(A[N ]) is an (N, . . . , N )-subgroup which is the kernel of the dual isogeny ϕˆ : A → A. All other (N, . . . , N )-subgroups of A [N ] are said to give rise to bad extensions. These are precisely the (N, . . . , N )-subgroups that differ from ϕ(A[N ]) but that intersect it non-trivially. Lemma 2.1. Consider Z2g N together with the standard symplectic pairing ·, ·. Its number of (N, . . . , N )-subgroups is given by g % % 1 N g(g+1)/2 1+ i . primes i=1 |N
Given an (N, . . . , N )-subgroup G ⊆ Z2g N , the number of (N, . . . , N )-subgroups that intersect it trivially equals N g(g+1)/2 . Proof. For the second count, consider generators P1 , . . . , Pg of the given subgroup G and extend to a symplectic basis P1 , . . . , Pg , Q1 , . . . , Qg . The free rank-g submodules that intersect G trivially each admit a unique basis of the form P1 = Q1 + a11 P1 + · · · + a1g Pg , (2.2)
.. . Pg = Qg + ag1 P1 + · · · + agg Pg ,
for certain aij ∈ ZN and, conversely, every such basis generates a rank-g submodule intersecting G trivially. One checks that the maximal isotropy assumption ∀i, j : Pi , Pj = 0 translates into g2 linear conditions on the aij ’s. These conditions can be used toexpress the aij ’s with i > j in terms of the other aij ’s. Thus we are left with g 2 − g2 = g(g + 1)/2 degrees of freedom, as wanted. As for the first count, we start with the case where N = is a prime number. The symplectic group Sp2g (F ) acts transitively on the set of ( , . . . , )-subgroups, and our goal is to compute the size of the unique orbit. This can be done via the
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
62
WOUTER CASTRYCK AND THOMAS DECRU
orbit-stabilizer theorem, which indeed yields g g % % 1 ( i + 1) = g(g+1)/2 1+ i i=1 i=1 as detailed in [27, §1]. Next, to settle the case N = n for n > 1, it suffices to see that the reduction-mod- map3 2g {( n , . . . , n )-subgroups of Z2g n } → {( , . . . , )-subgroups of F }
is (n−1)g(g+1)/2 -to-1. This works as before: consider generators Q1 , . . . , Qg of an ( n , . . . , n )-subgroup G, and extend to a symplectic basis Q1 , . . . , Qg , P1 , . . . , Pg . The ( n , . . . , n )-subgroups having the same reduction as G admit a unique basis of the form (2.2), where each aij is now an element of Zn . Again, the maximal isotropy condition translates into expressions for the aij ’s with i > j in terms of the other aij ’s, leaving us with (n−1)g(g+1)/2 subgroups, as wanted. The count for arbitrary N then follows from the Chinese remainder theorem. 2.3. The Tate pairing on (products of ) Jacobians. We discuss the Tate pairing on Jacobians, in the sense of Frey and R¨ uck [24, 28], and its natural extension to products of Jacobians. Let C/K be a curve of genus g ≥ 1 and let N ≥ 2 be such that char K N . The Tate pairing is a map tN : Pic0K (C)[N ] × Pic0K (C)/N Pic0K (C) → K ∗ /(K ∗ )N , where Pic0K (C) denotes the group of K-rational degree-zero divisors on C modulo divisors of functions in K(C)∗ , and is defined as follows. Let D1 ∈ Pic0K (C)[N ] be represented by a divisor D1 and let D2 ∈ Pic0K (C)/N Pic0K (C) be represented by a divisor D2 with support disjoint from that of D1 . Take a function fN,D1 ∈ K(C)∗ whose divisor is N D1 . We then let tN (D1 , D2 ) := fN,D1 (D2 ) mod (K ∗ )N . It can be shown that this is a well-defined bilinear pairing. In many cases of interest, the natural inclusion Pic0K (C) → JC (K) into the Jacobian JC of C is surjective, i.e., it is a group isomorphism, and we obtain a pairing JC (K)[N ] × JC (K)/N JC (K) → K ∗ /(K ∗ )N that we keep denoting by tN . Known sufficient conditions for surjectivity are that K has a trivial Brauer group (e.g., this is true if K is finite) [34, Rmk. 1.6], that C(K) = ∅ [25, Thm. 3], or that g = 2 [13, Lem. 3.1 and Lem. 3.2]. In this paper we are mainly interested in the case where K is a certain function field over Q, which has a non-trivial Brauer group. To avoid resulting pathologies, we only apply the Tate pairing in cases where C(K) = ∅ or where g = 2. We also consider the Tate pairing tN : A(K)[N ] × A(K)/N A(K) → K ∗ /(K ∗ )N on abelian varieties A/K that arise as products of Jacobians of such curves: this is simply obtained by taking the product of the Tate pairings of the respective components. 3 Recall from the introduction that Z n just denotes Z/n Z, the integers modulo n , rather than some extension of the ring of -adic integers.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
MULTIRADICAL ISOGENIES
63
Example 2.2. For use in Section 4.2, let us consider a genus-2 curve C : y 2 = G1 (x)G2 (x)G3 (x) over a perfect field K of odd characteristic, where the Gi ’s are quadratic polynomials over K whose product is square-free. Each Gi defines an element Di ∈ Pic0K (C), namely the class of Di = (αi1 , 0) + (αi2 , 0) − ∞1 − ∞2 , with αi1 , αi2 ∈ K the two roots of Gi and with ∞1 , ∞2 ∈ C(K) the two points at infinity. An analysis of L(∞1 + ∞2 ) shows that Di is non-principal, so from 2Di = div(Gi ) we conclude that the Di ’s have order 2. Let us compute t2 (D1 , D2 ). Replace D1 by the equivalent divisor D1 = (α11 , 0) + (α12 , 0) − ∞1 − ∞2 − div(x − c) for some arbitrary c ∈ K that is not a root of G2 . Then we can take f2,D1 = G1 /(x − c)2 so that t2 (D1 , D2 ) ≡ f2,D1 (D2 ) ≡
G1 (α21 )G1 (α22 ) ≡ resx (G1 , G2 ) (α21 − c)2 (α22 − c)2 lc(G1 )2
modulo (K ∗ )2 . Here lc(G1 ) denotes the leading coefficient of G1 . By symmetry, it then follows that t2 (Di , Dj ) ≡ resx (Gi , Gj ) for all pairs of distinct i, j ∈ {1, 2, 3}. If K is a finite field Fq containing a primitive N th root of unity, i.e., N | q − 1, then the Tate pairing can be shown to be perfect. We remark that there are ways of extending Frey and R¨ uck’s definition of the Tate pairing to arbitrary abelian varieties over Fq , where it remains perfect [6]. 2.4. Multiradical field extensions. We say that a field extension K ⊆ L is multiradical if there exist an integer N ≥ 1 and elements α1 , . . . , αr ∈ L such that L = K(α1 , . . . , αr ) and αiN ∈ K ∗ for all i. In this section, we discuss a sufficient Galois-theoretic condition for an extension to be multiradical. While we suspect that this is a well-known fact, we did not manage to find an exact reference, even for the case r = 1. Recall that a group G is the (inner) semi-direct product G1 G2 of a normal subgroup G1 and a subgroup G2 if the following three equivalent conditions hold: • G = G1 G2 and G1 ∩ G2 = {eG }, • every g ∈ G can be written as g = g1 g2 for unique g1 ∈ G1 and g2 ∈ G2 , • every g ∈ G can be written as g = g2 g1 for unique g1 ∈ G1 and g2 ∈ G2 . The group structure of G is determined by that of G1 and G2 and by how G2 acts on G1 through conjugation. The prototypical example of a multiradical extension is where K = Q and √ √ L = Q( N p1 , . . . , N pr ) for distinct primes pi , which is a number field of degree N r [1]. The Galois closure of L over K is L(ζN ), with ζN ∈ L a primitive N th root of unity. Define G1 = {σ1i1 ◦ · · · ◦ σrir | 0 ≤ ij < N for all j} ∼ = ZrN , √ √ |0≤ < where σj : N pj → ζN N pj for j = 1, . . . , r. Letting G2 = {τ : ζN → ζN ∗ ∼ N, gcd( , N ) = 1} = ZN , one then verifies that Gal(L(ζN )/K) = G1 G2 ,
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
64
WOUTER CASTRYCK AND THOMAS DECRU
where the action is given by τ ◦ σ1i1 ◦ · · · ◦ σrir ◦ τ−1 = σ1i1 ◦ · · · ◦ σrir . Of course, this example generalizes to (the Galois closures of) arbitrary multiradical extensions, as long as char K N and [L : K] = N r . Lemma 2.3 gives a converse statement: Lemma 2.3. Let N, r be positive integers and consider a degree-N r extension K ⊆ L of fields whose characteristic does not divide N . Let ζN ∈ L be a primitive N th root of unity and assume that L(ζN ) is Galois over K with Galois group Gal(L(ζN )/K) = Gal(L(ζN )/K(ζN )) Gal(L(ζN )/L), where the first factor is isomorphic to ZrN , say generated by σ1 , . . . , σr , and where the semi-direct product is according to the rule τ ◦ σ1i1 ◦ · · · ◦ σrir ◦ τ−1 = σ1i1 ◦ · · · ◦ σrir
(2.3)
for all i1 , . . . , ir ∈ {0, . . . , N − 1} and all τ : ζN → ζN ∈ Gal(L(ζN )/L). Then there exist α1 , . . . , αr ∈ L such that L = K(α1 , . . . , αr ) and α1N , . . . , αrN ∈ K ∗ .
Proof. First assume that r = 1 and write σ instead of σ1 . The restricted maps σ i |L : L → L(ζN ) are pairwise distinct. Indeed, if i, i ∈ {0, 1, . . . , N − 1} are such that σ i |L = σ i |L , then
σ i−i ∈ Gal(L(ζN )/K(ζN )) ∩ Gal(L(ζN )/L) = {id}, which can only be true if i = i . From [41, Lem. 0CKL] it follows that these restricted maps are linearly independent over L(ζN ). In particular there exists some β ∈ L such that N −1 i i ζN σ (β) α := i=0
is non-zero. From i i i i τ (α) = ζN (τ ◦ σ i )(β) = ζN (σ i ◦ τ )(β) = ζN σ (β) = α i
i
i
it follows that α ∈ L. Now observe that α was constructed in such a way that −i α for i = 0, 1, . . . , N − 1, which has two crucial consequences. On σ i (α) = ζN the one hand, it implies that Gal(L(ζN )/L) is the exact group of automorphisms fixing K(α), or in other words L = K(α). On the other hand, it implies that σ(αN ) = σ(α)N = (ζN α)N = αN , so that αN is fixed by the entire Galois group, i.e., αN ∈ K as wanted. The general case reduces to the case r = 1, as follows. Each element of our Galois group Gal(L(ζN )/K) can be written as σ1i1 ◦ · · · ◦ σrir ◦ τ for unique 0 ≤ ij , < N with gcd( , N ) = 1. For each j = 1, . . . , r, let Gj , resp. Hj , be the subgroup obtained by imposing ij = 0, resp. the normal subgroup obtained by imposing ij = 0 and = 1. Defining Lj = L(ζN )Gj , it is easy to check that L(ζN )Hj = Lj (ζN ) and that the chain of inclusions K ⊆ Lj ⊆ Lj (ζN ) satisfies the hypotheses of the lemma for r = 1. From the first part of our proof, we conclude that there exists an αj ∈ Lj such that Lj = K(αj ) and αjN ∈ K ∗ . But from ∩j Gj = Gal(L(ζ)/L) one sees that L is the compositum of the Lj ’s, from which the lemma follows.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
MULTIRADICAL ISOGENIES
65
Note that if r = 1 and L contains ζN then Lemma 2.3 specializes to a standard statement from Kummer theory; observe that the factor Gal(L(ζN )/L) is trivial in this case. In fact, our proof is a tweak of that of [41, Lem. 09DX]. In the current paper, we are mostly interested in the other end of the spectrum, where ζN ∩ L is as small as possible, i.e., contained in {±1}. 2.5. Charles–Goren–Lauter style hash functions. In [12], Charles, Goren and Lauter introduced a hash function based on isogenies between supersingular elliptic curves. This construction was generalized to work for Richelot isogenies between superspecial p.p. abelian surfaces in [9], by fixing an earlier proposal due to Takashima [44], shown to admit trivial collisions by Flynn and Ti [22]. We give a rough outline of the general construction. Fix distinct primes p and , a dimension g, and let Gp,,g be the directed multigraph with vertex set V and edge set E, which are constructed as follows. V consists of all superspecial p.p. abelian varieties over Fp of dimension g up to isomorphism, which can always be defined over Fp2 [2, Thm. 2.13A]. The edges emanating from a vertex v ∈ V are the ( , . . . , )-isogenies with domain v, one for each ( , . . . , )-subgroup of v. One can prove that the graph Gp,,g is connected [31, Thm. 43], and in the case of supersingular elliptic curves, the graph is a Ramanujan graph [12]. Unfortunately, this is no longer the case for dimension g > 1 [31, §10.1], but those graphs seem to exhibit strong expansion properties nonetheless; see [20] for an empiric analysis of the case = g = 2. From Lemma 2.1 we see that Gp,,g is a gi=1 ( i + 1)-regular multigraph. One can try and turn this graph into an undirected graph by considering dual isogenies, but due to p.p. abelian varieties possibly having non-trivial automorphisms, the multiplicities of the edges and their duals may not coincide. For a more in-depth discussion regarding this phenomenon, we refer to [9, §4]. To build a hash function from this graph, we must first fix a superspecial p.p. abelian variety and will begin a walk in the graph starting from this vertex. From this initial vertex, we label all outgoing edges in some way (e.g., in lexicographical order with respect to a fixed choice of representation of Fp2 ). Out of these gi=1 ( i + 1) edges, we only consider the first κ = g(g+1)/2 and we walk along the edge that corresponds to the least significant digit of m when expressed in base κ.4 We have now arrived at a new p.p. abelian variety and want to avoid any possible backtracking while walking in the graph, so for our next edge, we should not consider all possible outgoing edges. For elliptic curves, it suffices to discard the edges corresponding to the dual isogenies [12], but for g > 1 we must discard all options that have a kernel which intersects the kernel of the dual isogeny non-trivially [9]. In general, again in view of Lemma 2.1, this leaves us with κ possible edges to consider, which correspond to good extensions of the isogeny corresponding to the first edge we chose. Once again, we label the κ outgoing edges in some deterministic way and will walk along the one that corresponds to the second least significant digit of m in base κ. We continue this until all the digits of the message have been processed. The output of the hash function is then an invariant of the final p.p. abelian variety we encounter. In the case of elliptic curves, one can choose the j-invariant for example. 4 There is no real reason why one cannot consider all edges in this first step. Restricting to only κ choices however streamlines the algorithm.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
66
WOUTER CASTRYCK AND THOMAS DECRU
3. On the existence of multiradical isogeny formulae In this section we give a group-theoretic argument in favor of the existence of multiradical isogeny formulae. The argument is motivated by Lemma 2.3. 3.1. A multiradical modular cover. For perfect field K, an integer n ≥ 2 and a subgroup H ⊆ GSp2g (Zn ), we consider the moduli problem of parametrizing pairs (A, α) up to H-equivalence, where A is a g-dimensional p.p. abelian variety over K and α is an n-level structure on it. Two pairs (A1 , α1 ) and (A2 , α2 ) are called H-equivalent if there exists an isomorphism ϕ : A1 → A2 and an element h ∈ H such that α1 = h ◦ α2 ◦ ϕ. We write [(A, α)]H for the H-equivalence class of (A, α), and denote the moduli set of such H-equivalence classes by Ag (H). Two extremal cases are Ag (GSp2g (Zn )), which just parametrizes g-dimensional p.p. abelian varieties up to isomorphism, and Ag ({id}), which parametrizes gdimensional p.p. abelian varieties A equipped with a generalized symplectic basis of A[n]. Note that if H is a subgroup of H, then we have a natural map Ag (H ) → Ag (H) : [(A, α)]H → [(A, α)]H . We can construct a moduli set of g-dimensional p.p. abelian varieties A together with marked generators P1 , . . . , Pg of an (N, . . . , N )-subgroup by choosing n = N and letting H be & ' Ig B ∗ (Z ), d ∈ Z ⊆ GSp2g (ZN ), HN = B ∈ Sym N g N 0 dIg where Symg (ZN ) denotes the set of symmetric g × g matrices with entries in ZN . Another (overcomplicated) way of arriving at a set with the same moduli interpretation is by instead letting n = N 2 and considering the group Γ1,N = M ∈ GSp2g (ZN 2 ) | M mod N ∈ HN . This creates room for defining the subgroup Γ1,N = M ∈ Γ1,N ⊆ GSp2g (ZN 2 ) | lower-left g × g block of M is zero , whose associated moduli set parametrizes p.p. abelian varieties along with marked generators Q1 , . . . , Qg of an (N 2 , . . . , N 2 )-subgroup, considered modulo the following equivalence relation: two such sets of marked generators Q1 , . . . , Qg and R1 , . . . , Rg are identified if and only if Ri − Qi ∈ N Q1 , . . . , N Qg for i = 1, . . . , g. Note that the points Pi := N Qi do not depend on the chosen representants Qi , and neither do the cosets Pi of Qi modulo P1 , . . . , Pg . Said differently, the set Ag (Γ1,N ) parametrizes g-dimensional p.p. abelian varieties A together with marked generators P1 , . . . , Pg of some (N, . . . , N )-subgroup G ⊆ A, as well as with marked generators P1 , . . . , Pg of an (N, . . . , N )-subgroup G ⊆ A/G which are such that the chain of quotient maps ϕ
ϕ
A → A = A/G → A /G is good, i.e., ϕ ◦ ϕ is an (N 2 , . . . , N 2 )-isogeny. The natural map Ag (Γ1,N ) → Ag (Γ1,N ) just “forgets” about the points Pi . Thus, the central question of our paper — given P1 , . . . , Pg , how to find P1 , . . . , Pg — is closely related to understanding the fibers of this map.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
MULTIRADICAL ISOGENIES
67
Remark 3.1. In the above moduli interpretation, the marked generators Pi have the additional property that ϕ(P ˆ i ) = Pi for all i = 1, . . . , g,
(3.1)
where ϕˆ : A → A is the dual of ϕ. This feature was not explicitly asked for in the introduction. However, every subgroup G ⊆ A for which A → A /G is a good extension of ϕ admits a unique ZN -basis satisfying (3.1); we call this basis distinguished. It suffices to concentrate on such bases. Indeed, once we have found formulae for these distinguished generators, formulae for other sets of generators can be found by performing a base change, using arithmetic on A ,5 and this should not affect features like multiradicality, completeness and good reduction. Moreover, it seems reasonable to expect that the formulae for the distinguished generators will stand out in terms of simplicity (although we did not investigate this in detail). The multiradical nature of the fibers of Ag (Γ1,N ) → Ag (Γ1,N ) is hinted at by the following lemma, which invokes the notation d(M ) from (2.1), in combination with Lemma 2.3. Recall that the normal core CoreG (H) of a subgroup H in a group G is the largest subgroup of H that is normal in G. For use below we remark that, under the Galois correspondence, this notion corresponds to the Galois closure of a separable field extension. In order to state the lemma, we fix any bijection k : {1, . . . , g(g + 1)/2} → {(k1 , k2 ) | 1 ≤ k1 ≤ k2 ≤ g} and for all j = 1, . . . , g(g + 1)/2 and 0 ≤ < N , gcd(N, ) = 1 we define the elements Ig I 0 0 σj = , τ = g N Sk(j) Ig 0 Ig of Γ1,N , where S(k1 ,k2 ) denotes the symmetric g × g matrix having a 1 at positions (k1 , k2 ) and (k2 , k1 ) and 0’s elsewhere. Lemma 3.2. The group Γ1,N has index N g(g+1)/2 in Γ1,N . Its normal core can be computed as CoreΓ1,N (Γ1,N ) = {M ∈ Γ1,N | d(M ) ≡ 1 mod N } which has index ϕ(N ) in Γ1,N . Every element of Γ1,N / Core(Γ1,N ) admits a unique representant of the form i
g(g+1)/2 · τ σ1i1 · · · σg(g+1)/2
(3.2)
with 0 ≤ ij < N for all j = 1, . . . , g(g + 1)/2, and 0 ≤ < N , gcd(N, ) = 1. More precisely Γ1,N / CoreΓ1,N (Γ1,N ) can be written as i
{σjj | 1 ≤ j ≤ g(g + 1)/2, 0 ≤ ij < N } {τ | 0 ≤ < N, gcd(N, ) = 1} g(g+1)/2 ∼ Z∗N , = ZN
where the semi-direct product is taken according to the rule (2.3). 5 For example, if N is odd, then the formulae for 2P , . . . , 2P are obtained from those for g 1 P1 , . . . , Pg by feeding the latter to a formula for doubling on A .
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
68
WOUTER CASTRYCK AND THOMAS DECRU
Proof. It is not hard to check that all matrices M ∈ Γ1,N have symmetric lower-left g × g blocks, i.e., these blocks belong to N Symg (ZN 2 ). A count shows that the resulting map Γ1,N → N Symg (ZN 2 ) is uniform (i.e., every element in the codomain has the same number of preimages), implying that [Γ1,N : Γ1,N ] = N g(g+1)/2 . As for the normal core, conjugating Γ1,N with suitable matrices (e.g., one can use the matrices σj ) reveals that CoreΓ1,N (Γ1,N ) ⊆ {M ∈ Γ1,N | d(M ) ≡ 1 mod N } and since the right-hand side is a normal subgroup of Γ1,N , equality must hold. Finally, we have [Γ1,N : CoreΓ1,N (Γ1,N )] = ϕ(N ) because d defines a morphism Γ1,N → Z∗N which is surjective, as can be seen by evaluating it at the τ ’s. Now assume that some element of Γ1,N / CoreΓ1,N (Γ1,N ) admits two distinct decompositions i
i
i
g(g+1)/2 g(g+1)/2 σ1i1 · · · σg(g+1)/2 · τ = σ11 · · · σg(g+1)/2 · τ .
Applying d shows that ≡ mod N , hence we can assume = = 1. We then find Ig 0 ig(g+1)/2 −ig(g+1)/2 i1 −i1 (3.3) σ1 · · · σg(g+1)/2 = . (ij − ij )Sk(j) Ig N g(g+1)/2 j=1 But this is contained in Γ1,N only if ij ≡ ij mod N for all j. In particular, the expansion (3.2) is unique. Elements of the form (3.1) are a full set of representants of Γ1,N / CoreΓ1,N (Γ1,N ) because there are ϕ(N )N g(g+1)/2 such expansions. The statement about the semi-direct product is easy to check using (3.3). We now give more details on how Lemma 3.2 supports the existence of multiradical isogeny formulae, although we stress that the discussion below is partly heuristic. A major ingredient is that the sets Ag (H) are representable by algebraic varieties over Q.6 Indeed, results by Artin and Faltings–Chai show that the corresponding moduli spaces exist as schemes over Z[1/N ], see [19, §I.4]; it then follows from Geometric Invariant Theory that these spaces are quasi-projective [36, Thm. 7.9]. Consequently, the chain Ag ({id}) → Ag (Γ1,N ) → Ag (Γ1,N ) → Ag (GSp2g (ZN 2 )) corresponds to an inclusion of function fields Q(Ag (GSp2g (ZN 2 )) ⊆ Q(Ag (Γ1,N )) ⊆ Q(Ag (Γ1,N )) ⊆ Q(Ag ({id})) where the outer extension is Galois, with Galois group GSp2g (ZN 2 ), and where Q(Ag (Γ1,N )), resp. Q(Ag (Γ1,N )), are the subfields fixed by Γ1,N , resp. Γ1,N . This extrapolates upon well-known statements from the elliptic curve case, which can be found in [15, 37, 39], for instance. The middle inclusion has Galois closure
Q(Ag ({id}))CoreΓ1,N (Γ1,N ) 6 These varieties may be geometrically reducible; more precisely, for H ⊆ GSp (Z ) we have n 2g that Ag (H) decomposes into [Z∗n : d(H)] irreducible components over Q(ζn ).
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
MULTIRADICAL ISOGENIES
69
which, in the same vein, is obtained from Q(Ag (Γ1,N )) by adding a primitive N th root of unity ζN . The Galois group of this Galois closure is Γ1,N / CoreΓ1,N (Γ1,N ), so by Lemma 2.3 and Lemma 3.2 we have √ √ Q(Ag (Γ1,N )) = Q(Ag (Γ1,N ))( N ρ1 , . . . , N ρg(g+1)/2 ) for certain functions ρ1 , . . . , ρg(g+1)/2 on Ag (Γ1,N ). The line of thought behind multiradical isogenies is then that the coordinates of our distinguished generators P1 , . . . , Pg can essentially be viewed as functions on √ Ag (Γ1,N ), therefore they should be expressible in terms of the radicals N ρi . Since we work over Q, these expressions make sense over any perfect field K, as long as char K does not divide any denominators; in fact, the idea/hope behind our good reduction assumption (3) is that all of this can be set up over Z[1/N ] rather than Q. 3.2. Conjectured existence of multiradical isogeny formulae. As we have discussed in the introduction, it only makes sense to talk about multiradical isogeny formulae at the level of concrete families that come equipped with formulae of V´elu, Richelot, . . . type for the codomain p.p. abelian varieties. Let us therefore repeat, in more detail, our main surmise from Conjecture 1. For integers r, g ≥ 1, N ≥ 2, we consider a smooth family of g-dimensional p.p. abelian varieties As equipped with marked points Ps,1 , . . . , Ps,g that generate an (N, . . . , N )-subgroup Gs ⊆ As , where the parameter s = (s1 , . . . , sr ) ranges over some quasi-affine subset S ⊆ Ar . We assume that we have algebraic formulae at our disposal, explicitly describing As = As /Gs in terms of the si . Then we believe that there always exist accompanying multiradical formulae, producing a set of , . . . , Ps,g of an (N, . . . , N )-subgroup Gs ⊆ As which is such that generators Ps,1 the extension ϕ
ϕ
As −→ As = As /Gs −→ As /Gs is good. Moreover, we believe that the formulae can be chosen such that they are complete, and such that they work over any perfect field over which the parametrization by S makes sense. The radicands ri appearing in these formulae should be related to the functions ρi from the previous section, as follows. As before, assume we are working over Q. By the universal property of moduli spaces, we have a natural morphism σ : S → Ag (Γ1,N ), sending s to the isomorphism class of (As , Ps,1 , . . . , Ps,g ). This allows us to pull back the functions ρi ∈ Q(Ag (Γ1,N )) to Q(S); here we assume that the image of S is not included in the polar locus of ρi . These pull-backs should be our ri ’s. Explicitly, r1 := ρ1 ◦ σ,
...,
rg(g+1)/2 := ρg(g+1)/2 ◦ σ,
which can indeed be viewed as algebraic expressions in the coordinates si . We point out that, for the sake of flexibility, we do not require the map S → Ag (Γ1,N ) to be injective, i.e., up to isomorphism, different s may result in the same p.p. abelian variety and the same generators of an (N, . . . , N )-subgroup. Our examples in Section 4 include several families featuring such a redundance. Remark 3.3. Our formulae should make sense at every point of S, therefore the functions r1 , . . . , rg(g+1)/2 should be free of poles. In view of the completeness, they should also be free of zeroes.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
70
WOUTER CASTRYCK AND THOMAS DECRU
Remark 3.4. For small families, the extension √ Q(S) ⊆ Q(S)( N r1 , . . . , N rg(g+1)/2 ) may not be of degree N g(g+1)/2 . Indeed, when pulled back along σ, several of the radicands ρi may become interrelated. In such cases it is tempting to compress the formulae into versions that use fewer radicals, but then the completeness property gets lost. For instance, in the example in Section 4.3 below, as many as g(g − 1)/2 radicands collapse to √ the constant 1; nevertheless one should allow the corresponding occurrences of N 1 to range independently over the set of N th roots of unity if one wants to find all N g(g+1)/2 good extensions. If our family of p.p. abelian varieties As consists of (products of) Jacobians of curves Cs which, when viewed as a single curve over Q(S), is either of genus 2 or admits a rational point, then Conjecture 1 comes with the following addendum: (4) Tate pairings as suitable radicands. The radicands r1 , . . . , rg(g+1)/2 can be taken to be representants of the Tate pairings tN (Ps,i , Ps,j ) ∈ Q(S)∗ /(Q(S)∗ )N where i ≤ j range over {1, . . . , g}. This is motivated, again, by our examples below, and by the following observation. For each 1 ≤ i ≤ j ≤ g, choose a representant ri,j of tN (Ps,i , Ps,j ). Let Q(S)(Gs ) , . . . , Ps,g . denote the field obtained from Q(S) by adjoining the coordinates of Ps,1 As discussed in Remark 3.1, we can assume that ϕ(P ˆ s,i ) = Ps,i for all i. This implies that ri,j = tN (ϕ(P ˆ s,i ), ϕ(P ˆ s,j )) = tN (Ps,i , Ps,j )N
when viewed as elements of Q(S)(Gs )∗ /(Q(S)(Gs )∗ )N ; the second equality follows from the compatibility property of the Tate pairing, see [30, Lem. 5]. Thus √ Q(S)(Gs ) contains Q(S)( N ri,j | 1 ≤ i ≤ j ≤ g). We did not manage to prove that these two fields are in fact equal, which would lend further support for our addendum.7 While for g = 1 equality can be established using non-degeneracy of the Tate pairing over finite fields containing a primitive N th root of unity [10, §3], for g > 1 non-degeneracy or even perfectness does not seem strong enough to mimic that argument.
4. Examples In this section, we show how multiradical isogeny formulae manifest themselves for two well-known families: Richelot isogenies, and fully split isogenies from products of elliptic curves. We also show that multiradical isogeny formulae apply to a certain (5, 5)-isogeny that was described by Flynn [21]. Our main example, namely non-split (3, 3)-isogenies from Jacobians of genus-2 curves, will be discussed in Section 5. We begin by recalling an elliptic curve example from [10].
7 Note
however that the addendum is an even stronger statement, e.g., in view of Remark 3.4.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
MULTIRADICAL ISOGENIES
71
4.1. Elliptic curves. Consider the family of elliptic curves E with a marked point P ∈ E of order N . For N ≥ 4 this family is conveniently parametrized by the Tate normal form:8 E : y 2 + (1 − c)xy − by = x3 − bx2 ,
P = (0, 0).
Concretely, we let S ⊆ A2 be the subset of pairs b, c for which E is non-singular and P has exact order N ; we refer to [43] for how to obtain a concrete equation for S, which is a model of the modular curve Y1 (N ) and which is naturally defined over Z[1/N ]. The existence of radical and complete isogeny formulae was discussed in [10], where it was argued that one can take r1 = fN,P (−P ), with fN,P the function on E with divisor N (P ) − N (∞), normalized such that its expansion at ∞ with respect to the uniformizer x/y has leading coefficient 1. As mentioned there, r1 is a representant of tN (P, −P ) = tN (P, P )−1 , so in order to enforce property (4), one should instead work with r−1 1 . This does not cause any issues because r1 has no zeroes or poles on S; see also Remark 3.3. For the sake of example, let us revisit √ the case N = 5, where we have r1 = b and S = {(b, c) ∈ A2 | b = c, b = 0, (11 ± 5 5)/2}. V´elu’s formulae yield the following defining equation for E = E/P : y 2 + (1 − b)xy − by = x3 − bx2 − 5b(b2 + 2b − 1)x − b(b4 + 10b3 − 5b2 + 15b − 1). From [10, §4] we see that the point √ 4 √ 3 √ 2 √ (4.1) P = (5 5 r1 + (b − 3) 5 r1 + (b + 2) 5 r1 + (2b − 1) 5 r1 − 2b, √ 4 √ 3 √ 2 √ 5 5 r1 + (b − 3) 5 r1 + (b2 − 10b + 1) 5 r1 + (13b − b2 ) 5 r1 − b2 − 11b) on E is of the requested kind, i.e., it is the distinguished generator of a subgroup G ⊆ E[5] such that the composed isogeny E → E → E /G is cyclic of √ degree 25. Varying the choice of 5 r1 produces the five subgroups for which this is true. The formula (4.1) satisfies the good reduction property and allows for a very fast computation of chains of 5-isogenies over finite fields; e.g., over Fp with p ≡ 1 mod 5 we obtain a speed-up by roughly a factor 40 over more traditional methods [10, Tbl. 4]. We recall that, for general N , the good reduction property is conjectural [10, Conj. 1]. 4.2. Richelot isogenies. A convenient reference for Richelot isogenies is [40, Ch. 8]. We consider genus-2 curves C equipped with two generators of a (2, 2)subgroup of JC . Such marked curves can be parametrized by S = A9 \ Δ, by letting s = (sij )1≤i,j≤3 correspond to the Jacobian of C : y 2 = G1 (x)G2 (x)G3 (x),
Gi (x) = si1 x2 + si2 x + si3
equipped with the divisor classes D 1 , D2 from Example 2.2. Here Δ is cut out by the discriminant of G1 (x)G2 (x)G3 (x). The parametrization works over Z[1/2]. We claim that we can take r1 = resx (G2 , G3 ), r2 = resx (G1 , G3 ) and r3 = resx (G1 , G2 ). By Example 2.2 we know that t2 (D1 , D1 ) ≡ r2 r3 t2 (D1 , D2 ) ≡ r3 t2 (D2 , D2 ) ≡ r1 r2 8 See
[10, §4] for a discussion of the cases N = 2, 3.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
72
WOUTER CASTRYCK AND THOMAS DECRU
modulo squares, so the validity of property (4) is not affected by our choice of √ √ √ radicands. Indeed, formulae in terms of r1 , r2 , r3 can easily be rewritten into √ √ √ formulae in terms of r2 r3 , r3 , r1 r2 , and vice versa. To proceed, we slightly shrink S by removing the zero locus of the determinant δ = |si,j |1≤i,j≤3 . This guarantees that the p.p. abelian surface JC /D1 , D2 is again a Jacobian. More precisely, Richelot’s formulae show that it is isomorphic to JC with C : δy 2 = H1 (x) · H2 (x) · H3 (x), where H1 := G2 G3 − G2 G3 , H2 := G3 G1 − G3 G1 and H3 := G1 G2 − G1 G2 . The reader can verify that disc(Hi ) = 4ri , so the two zeroes of Hi are algebraic √ expressions in ri and in the sij ’s, and they are obtained from one another by choosing the other square root of ri ; denote these two zeroes by α±i . Then according to [9, Prop. 2] the classes of D1 = (α1 , 0) + (α2 , 0) − ∞1 − ∞2 ,
D2 = (α−1 , 0) + (α3 , 0) − ∞1 − ∞2
generate a (2, 2)-subgroup of JC that defines a (4, 4)-extension of the incoming isogeny JC → JC . Still according to [9, Prop. 2], the sign flips ±i produce the eight subgroups for which this is true. Thus we have found formulae that are multiradical and complete, and they clearly work in any characteristic different from 2. Remark 4.1. One could also try and study the complementary case, namely the restriction S0 of S to the zero locus of δ. In this case JC /D1 , D2 geometrically splits as a product of two elliptic curves. Concrete equations for these elliptic curves can be found in [40, p. 119]. The reader can check that they are defined over the field obtained by adding a square root of discz (discx (G2 +zG3 )) which, interestingly, turns out to be 16r1 . However, for a genuine verification of Conjecture 1, one would √ need a model of JC /D1 , D2 over Q(S0 ) rather than Q(S0 )( r1 ). This model √ concerns the Weil restriction to Q(S0 ) of an elliptic curve defined over Q(S0 )( r1 ), which is not easy to describe explicitly; see also [4]. 4.3. Fully split (N, . . . , N )-isogenies from products of elliptic curves. In this example we consider g-fold products E1 × · · · × Eg of elliptic curves, marked with generators D1 , . . . , Dg of an (N, . . . , N )-subgroup that are of the following kind: each Di is a g-tuple with ∞Ej at entry j, except when j = i where we then have a point Pi ∈ Ei of order N . Assuming N ≥ 4, such marked products are naturally parametrized by S g ⊆ A2g , with S the modular curve Y1 (N ) from Section 4.1. Note that the corresponding (N, . . . , N )-isogenies split completely, i.e., they are of the form Φ : E1 × . . . × Eg → E1 × . . . × Eg , decomposing as the product of cyclic N -isogenies φi : Ei → Ei with kernel Pi . We assume that the elliptic curves Ei are given by V´elu’s formulae. For each i = 1, . . . , g, we let ri be the representant of the Tate self-pairing tN (Pi , Pi ) whose inverse was described in Example 4.1. We then choose the following representants of the Tate pairings tN (Di , Dj ), 1 ≤ i ≤ j ≤ g: we pick 1 as soon as i < j, and we pick ri if i = j. We are interested in identifying all (N, . . . , N )-subgroups of (E1 × · · · × Eg )[N ] that have trivial intersection with the kernel of the dual of Φ. Indeed, these are precisely the subgroups that can occur as ker Ψ for a good extension Ψ of Φ. To
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
MULTIRADICAL ISOGENIES
73
ˆ which is just the product of the φˆi ’s, we rely get a handle on the kernel of Φ, on Lemma 4.2 below. When applied over Q(S), it implies√that for each i = 1, √ reading N 1 as ζN , produces a . . . , g we can find a formula Pi ( N 1) which, when √ k generator Pi of ker φˆi and which, when reading N 1 as ζN , produces the point kPi ˆ for 0 ≤ k ≤ N − 1. Then ker Φ can be written as C1 , . . . , Cg , where each Ci is a g-tuple with ∞Ej at each entry, except at j = i where we have Pi . Lemma 4.2. Let E be an elliptic curve over a perfect field K with char K N and let P ∈ E(K) be a point of order N . Let φ : E → E = E/P be the corresponding quotient isogeny, where E is given by V´elu’s formulae. Let P be a generator of the dual isogeny. Then there exist polynomials F, G, H ∈ K[z] such that k k k ) : G(ζN ) : H(ζN )] = kP [F (ζN for all 0 ≤ k ≤ N − 1. Proof. The Weil pairing gives a group isomorphism between ker φˆ and μN that is compatible with the action of Gal(K/K). In particular P has coordinates in K(ζN ). Define F (z) to be the classical Lagrange polynomial that interpolates the x-coordinates of kP for 0 ≤ k ≤ N − 1. More precisely, F (z) =
N −1
x(kP ) k (z), with k (z) =
k=0
%
m z − ζN . m ζ k − ζN 0≤m≤N −1 N m =k
Then it suffices to show that for any σ ∈ Gal(K(ζN )/K) it holds that F (z) = F σ (z). a for some a coprime to N . One verifies that Note that σ : ζN → ζN am m % % z − ζN z − ζN σk (z) = = = ak (z). am m ζ ak − ζN ζ ak − ζN 0≤m≤N −1 N 0≤m≤N −1 N m =k
m =ak
Furthermore, we can assume that the x-coordinates of the points of ker φˆ within the same Galois orbit were chosen compatibly, i.e. σ(x(kP )) = x(σ(kP )) for all σ ∈ Gal(K(ζN )/K) and for all 0 ≤ k ≤ N − 1. Then because of the aforementioned isomorphism we must have σ(x(kP )) = x(akP ), such that indeed F (z) = F σ (z) as wanted. An analogous argument applies to the polynomials G and H. √ N We also know that, for each i = 1, . . . , g, there exists a formula Qi ( ri ) producing a point Qi that extends Pi to a basis of Ei [N ]. Furthermore, we know √ k that by scaling N ri with ζN for 0 ≤ k ≤ N − 1, we cycle through all elements Qi + kPi . We are ready to give multiradical and complete formulae that produce g-tuples D1 , . . . , Dg ∈ E1 × · · · × Eg generating the kernel of a good extension Ψ of Φ. Fix √ √ √ N N D1 = (Q1 ( N r1 ), P2 ( 1), . . . , Pg ( 1)), which has g degrees of freedom. Next, choose √ √ √ N N D2 = (∞E1 , Q2 ( N r2 ), P3 ( 1), . . . , Pg ( 1)), where we fixed the first coordinate at ∞E1 in order to avoid repetitions in the subgroups generated by D1 and D2 . This results in g − 1 degrees of freedom. Continuing this inductively, we end up with √ , Qg ( N rg )) Dg = (∞E1 , . . . , ∞Eg−1
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
74
WOUTER CASTRYCK AND THOMAS DECRU
with only 1 degree of freedom left. In total, we have gj=1 j = g(g + 1)/2 degrees of freedom as wanted, and running through all √possible interpretations of the radicals (including the g(g − 1)/2 occurrences of N 1) provides the kernels of all possible good extensions. 4.4. Flynn’s family of (5, 5)-isogenies from genus-2 curve Jacobians. Consider the family of genus-2 curves with given (5, 5)-subgroup from [21], involving a single parameter r. In this section, we illustrate that multiradical isogeny formulae apply to this family. We do not aim at a full analysis including completeness, etc; in fact, for simplicity we will restrict to the curve at r = 1. We remark that the absolute Igusa invariants of Flynn’s family are in fact parameterless, so up to isomorphism this is the only curve in the family. In order for the generators of the (5, 5)-subgroup to be rational (and not just the subgroup),√we will fix the base field as Q(ζ5 ), where ζ5 is a fifth root of unity.9 Writing γ1 = 5 = 2ζ53 + 2ζ52 + 1 ∈ Q(ζ5 ), we have C : y 2 = x5 + 25x4 − 200x3 + 560x2 − 640x + 256, T1 = (4, 16γ1 ) − ∞,
T2 = (0, 16) − ∞, 2ζ 3 −6ζ 2 −4ζ −2
where T1 , T2 ∈ JC [5]. Writing γ2 = 2(1/γ1 − 1) = 5 55 5 ∈ Q(ζ5 ), the genus-2 curve associated with the isogenous abelian surface obtained by quotienting out T1 , T2 can be written as : y 2 = x5 − 125x4 + 5000x3 − 175000x2 + 1250000x − 81250000, C T 1 = (10γ1 , 10000γ2 ) − ∞,
T 2 = (−10γ1 , 5000γ2 (γ1 + 1)) − ∞,
where T 1 , T 2 is the kernel of the dual isogeny (in particular, T 1 , T 2 ∈ JC [5]). In with order to extend T 1 , T 2 to a basis for the 5-torsion of the Jacobian of C, conjectured property (4) in mind we compute the following Tate pairings: t5 (T1 , T1 ) ≡ γ1 ,
t5 (T1 , T2 ) ≡ (γ1 − 1)/2,
t5 (T2 , T2 ) ≡ 1.
Defining r1 = γ1 and r2 = (γ1 − 1)/2, Conjecture 1 predicts that we can expect to √ √ find the 5-torsion of JC in Q(ζ5 , 5 r1 , 5 r2 ). In order to compute this 5-torsion, we use techniques from [26] that build upon the work of [8]. Concretely, a typical 5-torsion point is expected to be represented by a divisor D = P1 + P2 − 2∞ = (x1 , y1 ) + (x2 , y2 ) − 2∞, for two affine points (x1 , y1 ), (x2 , y2 ) ˜ We read the condition 5D ≡ 0 as 5(P1 − ∞) ≡ −5(P2 − ∞). In [8], recuron C. sive formulae are derived to express 5((x1 , y1 ) − ∞) in function of x1 , y1 and the ˜ The same can be done for −5((x2 , y2 ) − ∞) coefficients of our genus-2 curve C. and the aforementioned equality results in a system of equations that can be solved by a Gr¨obner basis computation. Note that for D to be rational over a certain be defined over that same field. In Mumford field, x1 , y1 , x2 , y2 need not necessarily
2 1 coordinates, we can write D = x − (x1 + x2 )x + x1 x2 , y1 + (y2 − y1 ) xx−x and 2 −x1 it suffices for the coefficients of these polynomials to be defined over the field. In practice, it is most convenient to simply add an extra variable and corresponding equation to the Gr¨ obner basis computation from before, such as X − (x1 + x2 ), and then compute the minimal polynomial of X (i.e., put it last in a lexicographic √ that the quadratic extension Q( 5) would suffice, but adding ζ5 makes for easier notation up ahead. 9 Remark
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
MULTIRADICAL ISOGENIES
75
monomial ordering for the Gr¨obner basis computation). The roots of this polynomial will then correspond to all possible x1 + x2 such that the class of D is 5-torsion. There are 54 − 1 = 624 nontrivial elements in JC [5], but since D and −D correspond to the same x1 + x2 , we expect the minimal polynomial of X to be of degree 312 generically. In this specific case though, we have multiple 5-torsion divisors of the form (x1 , y1 )−∞ rather than (x1 , y1 )+(x2 , y2 )−2∞ (e.g., this is the case for T 1 and T 2 ). The techniques of [26] do not capture such points. Nonetheless, all other 5-torsion divisors can be found this way and the minimal polynomial of X √ √ turns out to be of degree 305. Factoring this polynomial over Q(ζ5 , 5 r1 , 5 r2 )[X] we see that it splits completely as expected, thereby lending support to Conjecture 1. A similar computation can be done for the other coefficients of the Mumford coordinates, which allows us to define
T 3 =
x2 + 100
α24 − (ζ5 + 1)2 α23 − (ζ54 + 1)α22 + (ζ53 − 2ζ5 − 2)α2 + 1 x γ1 ζ53 (ζ5 + 1)2
10α24 − 2(ζ5 − 1)2 α23 − 2(7ζ53 + 11ζ52 + 7ζ5 )α22 + 10(ζ53 − 2ζ5 − 2)α2 + 1 , γ1 ζ53 (ζ5 + 1)2
100 (7ζ52 − ζ5 + 7)α24 − (2ζ53 + 5ζ52 + 2ζ5 )α23 + (7ζ53 + 5ζ5 + 5)α22
−(6ζ53 + 7ζ52 + 7ζ5 + 6)α2 − 7 x + 5000 − (3ζ52 + 3ζ5 + 3)α24 3 2 3 3 2 3 2 −(2ζ5 − ζ5 + 2ζ5 )α2 + (ζ5 − ζ5 − 1)α2 + (6ζ5 + 3ζ5 + 3ζ5 + 6)α2 − 5 ,
+500
√ where α2 = 5 r2 . One can easily verify that T 3 ∈ JC [5] \ T 1 , T 2 . The expression is too voluminous to for a fourth element T 4 that completes a basis for Jac(C)[5] reproduce here, but can be found online in our repository at https://github.com/ KULeuven-COSIC/Multiradical-Isogenies. From this basis, the 125 maximal isotropic (5, 5)-subgroups that determine a kernel which intersects the kernel of the dual isogeny trivially can easily be computed. 5. Multiradical (3, 3)-isogenies 5.1. The parametrization by Bruin, Flynn and Testa. Over any perfect field K with char K 6, we consider A3 with coordinates r, s, t, and we let S ⊆ A3 be the joint complement of the zero loci of10 δ1 = t, δ2 = s, δ3 = st + 1, δ4 = r 3 − 3rt + t2 + t, δ5 = r 3 s − 3rst + st2 + st + t, δ6 = r 3 s2 − 3rs2 t − 3rs + s2 t2 + s2 t + 2st + s + 1, 10 Note that [5] define δ = s and δ = t, so some care is needed when comparing our formulae 1 2 with the ones from this reference.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
76
WOUTER CASTRYCK AND THOMAS DECRU
δ7 = r 3 s2 t + r 3 s − 3rs2 t2 − 3rst + s2 t3 + s2 t2 + 2st2 + t, Δ = r 6 s2 − 6r 4 s2 t − 3r 4 s + 2r 3 s2 t2 + 2r 3 s2 t + 3r 3 st + r 3 s + r 3 + 9r 2 s2 t2 + 6r 2 st − 6rs2 t3 − 6rs2 t2 − 9rst2 − 3rst − 3rt + s2 t4 + 2s2 t3 + s2 t2 + 2st3 + 3st2 + t2 + t and also of r − 1, r 2 − t and rs − st − 1 (we don’t give a name to these last three polynomials since their role is less essential, see Remark 5.2 below). Following Bruin, Flynn and Testa [5], to r, s, t we then attach the genus-2 curve Crst : y 2 = Frst (x), where Frst (x) = G1 (x)2 + λ1 H1 (x)3 = G2 (x)2 + λ2 H2 (x)3 and H1 (x) = x2 + rx + t, λ1 = 4s, G1 (x) = (s − st − 1)x3 + 3s(r − t)x2 + 3sr(r − t)x − st2 + sr 3 + t, H2 (x) = x2 + x + r, λ2 = 4st, G2 (x) = (s − st + 1)x3 + 3s(r − t)x2 + 3sr(r − t)x − st2 + sr 3 − t. One can calculate that disc(Frst ) = −212 36 δ13 δ23 δ3 δ43 δ5 δ63 δ73 = 0, so Crst is a genus-2 curve. We write Jrst for the Jacobian of Crst . Proposition 5.1. For i = 1, 2, write Ti ∈ Jrst (K) for the divisor class of (Hi , Gi ) := (αi1 , Gi (αi1 )) + (αi2 , Gi (αi2 )) − ∞1 − ∞2 , where αi1 , αi2 ∈ K denote the zeroes of Hi (x). Then T1 , T2 is a maximal isotropic subgroup of Jrst , and the quotient Jrst /T1 , T2 is isomorphic over K to the Jacobian (−3) Jr s t of the genus-2 curve (−3)
Cr s t : −3y 2 = Fr s t (x) where (r , s , t ) = ψ0 (r, s, t) := −s(r − 1)(r 2 − t)(δ5 − r) (rs − st − 1)3 δ42 s2 (r − 1)3 (r 2 − t)3 , , . (rs − st − 1)2 δ4 st(r − 1)3 Δ (rs − st − 1)3 δ42 Writing Fr ,s ,t (x) = G1 (x)2 + λ1 H1 (x)3 = G2 (x)2 + λ2 H2 (x)3 as above, the kernel of the dual isogeny is generated by the corresponding points Ti , by which we mean the divisor classes of √ √ √ , Gi (αi1 )/ −3) + (αi2 , Gi (αi2 )/ −3) − ∞1 − ∞2 , (Hi , Gi / −3) = (αi1 with αi1 , αi2 ∈ K the zeroes of Hi (x), for i = 1, 2.
Proof. This follows from [5, Thm. 6 & Lem. 10].
We call (Hi , Gi ) the Mumford coordinates of Ti , because of the clear analogy with the Mumford coordinates in the case of hyperelliptic curves with an imaginary Weierstrass model, i.e., with a unique place at infinity.11 11 For an even better analogy, one should reduce the degree of the second component by writing (Hi , Gi mod Hi ).
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
MULTIRADICAL ISOGENIES
77
All sufficiently general triples (C, T1 , T2 ) with C a genus-2 curve and T1 , T2 generating a (3, 3)-subgroup of JC are reached by the above parametrization. One exception is where the effective parts of (the natural representants of) the divisor classes corresponding to the generators T1 , T2 have non-disjoint supports. This is how one should understand the role of r − 1, r 2 − t, rs − st − 1: if any one of these expressions is zero, then one can still consider Crst , T1 , T2 as above,12 but the formulae of [5] will produce generators of the kernel of the dual isogeny that have non-disjoint supports. Remark 5.2. While for certain curves the parametrization misses certain pairs T1 , T2 generating a (3, 3)-subgroup, every (3, 3)-subgroup is reached. Indeed, by [5, Lem. 3] in combination with the paragraph preceding [5, Thm. 6], at least one choice of basis with generators from {T1 , T2 , T1 + T2 , T1 − T2 } will be in sufficiently general form. The role of Δ is more fundamental: it should not vanish because otherwise the quotient Jrst /T1 , T2 is K-isomorphic to a product of elliptic curves. We discuss the multiradical isogeny formulae corresponding to the family S in Section 5.2. First, as an intermezzo, let us elaborate and discuss how to handle the case Δ = 0, as well as how to walk away from products of elliptic curves. None of the material below is new, however, to the best of our knowledge, there is no article containing all these formulae, so we felt it was worth gathering them. From Jacobians to products If Δ = 0, then any algebraic software package can easily verify that the polynomial Frst (x) factors in two cubic polynomials over the ring Q(r, s, t, ζ3 )[x]/(Δ), where ζ3 is a primitive cubic root of unity. This factorization induces an isogeny to a product of elliptic curves, and we refer to [33] for the general construction for ( , )-split Jacobians. In the specific case of a (3,3)-split Jacobian, we mention the complete characterization by [3, Prop. A.2]. Proposition 5.3. Let C be a genus-2 curve over a perfect field K with char K 6, and J the Jacobian of C. If J is (3, 3)-isogenous to a product of elliptic curves E1 × E2 , then there exist elements a, b, c, d, t ∈ K with 12ac + 16bd = 1,
Δ1 = a3 + b2 = 0,
Δ2 = c3 + d2 = 0,
t = 0,
such that C is isomorphic to Cabcdt : ty 2 = f (x) and Ei is isomorphic to Ei,abcdt : ty 2 = fi (x) for i ∈ {1, 2}, with f (x) = (x3 + 3ax + 2b)(2dx3 + 3cx2 + 1), f1 (x) = x3 + 12(2a2 d − bc)x2 + 12(16ad2 + 3c2 )Δ1 x + 512Δ21 d3 , f2 (x) = x3 + 12(2bc2 − ad)x2 + 12(16b2 c + 3a2 )Δ2 x + 512Δ22 b3 . The corresponding morphisms ϕi : Cabcdt → Ei,abcdt are given by −2dx + c 16dx3 − 12cx2 − 1 , yΔ1 3 ϕ1 (x, y) → 12Δ1 3 , x + 3ax + 2b (x + 3ax + 2b)2 x2 (ax − 2b) x3 + 12ax − 16b , yΔ2 ϕ2 (x, y) → 12Δ2 . 2dx3 + 3cx2 + 1 (2dx3 + 3cx2 + 1)2 12 As
long as no δi vanishes.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
78
WOUTER CASTRYCK AND THOMAS DECRU
As mentioned, the Jacobian of a genus-2 curve is generically not (3, 3)-split. If it is, however, the curves E1,abcdt and E2,abcdt will typically be unique up to isomorphism, i.e., the Jacobian should not be expected to split in more than one way. Up to isomorphism, there are only two genus-2 curves which are (3, 3)-isogenous to distinct products of elliptic curves [38]. Ideally, we would like more uniform formulae to identify the curves Crst and Cabcdt with one another in the case Δ equals zero. Unfortunately, these formulae would be extremely lengthy and finding an isomorphism from one to the other in practice can be done relatively easily by a Gr¨obner basis computation since isomorphisms between genus-2 curves are well-understood. Isogenies from products Let E1 ×E2 be a product of elliptic curves, both defined over a perfect field K with char K 6, and T1 , T2 ∈ (E1 × E2 )(K)[3] such that T1 , T2 is maximal isotropic with respect to the 3-Weil pairing. Then (E1 × E2 )/T1 , T2 is again a product of elliptic curves in two scenarios. The first scenario is the most common one, where T1 , T2 correspond to 3-torsion points on the separate elliptic curves E1 , E2 . The codomain of the isogeny can be computed using V´elu’s formulae. Proposition 5.4. Consider elliptic curves E1 , E2 over a perfect field K with char K 6, with non-trivial T1 ∈ E1 [3], T2 ∈ E2 [3]. Then Ei can be written as Ei : y 2 + ai xy + bi y = x3 for i ∈ {1, 2}, where the Ti have been translated to (0, 0) on the respective curves. Write G = (T1 , ∞E2 ), (∞E1 , T2 ). Then the codomain of the isogeny with kernel G is again a product of elliptic curves E1 × E2 , where for i ∈ {1, 2} we can write Ei : y 2 + ai xy + bi y = x3 − 5ai bi x − a3i bi − 7b2i . The second situation where the codomain of a (3, 3)-isogeny with domain E1 × E2 is again a product of elliptic curves, is the relatively rare occurrence when there exists a 2-isogeny θ : E1 → E2 . In this case, the isogeny is the endomorphism φ : E1 × E2 → E1 × E2 ˆ (P, Q) → (P + θ(Q), −Q + θ(P )), with kernel the graph of the 2-isogeny θ|E1 [3] , see for example [23, §1]. In all other scenarios, (E1 × E2 )/T1 , T2 is the Jacobian of a genus-2 curve, where the kernel is the graph of an anti-isometry with respect to the 3-Weil pairing (see for example [16, Prop. 5.6] or [32, Thm. 3]). By this we mean that there exists an isomorphism ψ : E1 [3] → E2 [3] such that e3 (ψ(P ), ψ(Q)) = e3 (P, Q)−1 for all P, Q ∈ E1 [3]. The formulae in this case are simply the dual isogenies of the split Jacobians in Proposition 5.3. Of the 40 (3, 3)-isogenies with domain E1 × E2 , generically there are 16 with codomain a product of elliptic curves, and 24 with codomain the Jacobian of a genus-2 curve. The only exception to this is by means of an aforementioned 2isogeny θ : E1 → E2 . 5.2. Multiradical formulae. We are interested in finding good extensions of our (3, 3)-isogeny (5.1)
(−3)
Jrst −→ Jr s t = Jrst /T1 , T2 .
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
MULTIRADICAL ISOGENIES
79
In view of the conjectured property (4), let us compute the relevant Tate pairings. The reader might want to compare the following lemma with the Weil pairing computation from [5, Lem. 4]. Lemma 5.5. Let C : y 2 = G21 + λ1 H13 = G22 + λ2 H23 be a genus-2 curve over K with G1 , G2 , H1 , H2 ∈ K[x] and H1 , H2 quadratic, and consider the corresponding points T1 = (H1 , G1 ), T2 = (H2 , G2 ) ∈ JC [3]. Then t3 (T1 , T2 ) ≡ resx (G1 − G2 , H2 )/λ1 . Proof. Write α11 , α12 , resp., α21 , α22 , for the roots of H1 (x), resp., H2 (x). It is easy to check that G1 (x)−y has divisor 3(H1 , G1 ); however, in order to move away from infinity, as we did in Example 2.2, we instead work with (G1 (x) − y)/(x − c)3 for some c ∈ K that is different from α21 , α22 . Evaluating this function in (H2 , G2 ) yields t3 (T1 , T2 ) ≡ −
(G1 (α21 ) − G2 (α21 )(G1 (α22 ) − G2 (α22 )) ≡ resx (G1 − G2 , H2 )/λ1 (α21 − c)3 (α22 − c)3 λ1 lc(H1 )3
modulo (K ∗ )3 .
Applying this to our instances of T1 , T2 , one checks that resx (G1 − G2 , H2 )/λ1 equals δ4 /δ2 . As for the other pairings: Bruin, Flynn and Testa have also provided an explicit Mumford representation (H3 , G3 ) for T3 := T1 + T2 , see [5, Thm. 6], and the analogous computations yield t3 (T1 , T3 ) ≡ δ72 and t3 (T3 , T2 ) ≡ δ1 δ62 . From these outcomes it follows that t3 (T1 , T1 ) ≡ δ2 δ42 δ72 ,
t3 (T1 , T2 ) ≡ δ22 δ4 ,
t3 (T2 , T2 ) ≡ δ1 δ2 δ42 δ62 .
We will instead work with the radicands r1 = δ7 ≡ t3 (T1 , T1 )t3 (T1 , T2 ), r2 = δ2 δ42 ≡ t3 (T1 , T2 )−1 , r3 = δ1 δ62 ≡ t3 (T1 , T2 ) · t3 (T2 , T2 ), which does not affect the validity of property (4). Indeed, formulae in terms of √ √ √ √ 3 r1 , 3 r2 , 3 r3 can easily be rewritten into formulae in terms of 3 r1 r2 = 3 t3 (T1 , T1 ), √ 3 1/r2 = 3 t3 (T1 , T2 ), 3 r2 r3 = 3 t3 (T2 , T2 ), and vice versa. The good extensions of (5.1) are characterized by the fact that their kernel intersects the kernel T1 , T2 of the dual isogeny trivially. In order to find such kernels, we are first and foremost interested in extending T1 , T2 to a basis of the 3-torsion. To this end, we try to find all b1 , . . . , b7 such that (5.2)
Fr s t (x) = (b4 x3 + b3 x2 + b2 x + b1 )2 + b7 (x2 + b5 x + b6 )3 .
Indeed, every such tuple produces a divisor D with Mumford coordinates √ (x2 + b5 x + b6 , (b4 x3 + b3 x2 + b2 x + b1 )/ −3) √ (−3) satisfying 3D = (b4 x3 + b3 x2 + b2 x + b1 − −3y), hence D ∈ Jr s t [3]. Conversely, every 3-torsion point arises in this way, see for example [7, §3.1]. Over an algebraic closure of the base field, 80 nontrivial 3-torsion elements exist and hence 80 tuples (b1 , . . . , b7 ) satisfy the above equation. We remark that for every solution (b1 , b2 , b3 , b4 , b5 , b6 , b7 ) corresponding to a divisor D, there exists another solution
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
80
WOUTER CASTRYCK AND THOMAS DECRU
(−b1 , −b2 , −b3 , −b4 , b5 , b6 , b7 ) corresponding to the opposite divisor, whose class is −D. The parametrization from Section 5.1 already gives rise to eight solution tuples (b1 , . . . , b7 ) corresponding to the elements in {iT1 + jT2 : 0 ≤ i, j ≤ 2} \ {0}. To find the rest of the tuples, one can write out the equation of Fr s t (x) as well as the right-hand side of (5.2), and equate coefficients of the degree-six polynomials found. One can then compute a reduced Gr¨ obner basis of these seven expressions with respect to the lexicographic monomial order.13 Assuming we put b4 last in the monomial ordering, the last polynomial of the Gr¨ obner basis will be a degree-80 polynomial in just b4 , whose roots correspond to possible solutions for b4 in (5.2). Up to some constant factor, this minimal polynomial of b4 is of the form M (b4 ) =
4 %
(b24 − βi2 )
i=1
4 %
fk (b4 ),
k=1
where the fk (b4 ) are polynomials of degree 18, and the βi are the (necessarily rational) solutions corresponding to {iT1 + jT2 : 0 ≤ i, j ≤ 2} \ {0}. These βi appear in pairs, which on the level of divisors coincides with the correspondence between D and −D, and for the same reason one can see that the polynomials fk ought to be even. We will write fk (b4 ) for the polynomial obtained by halving the exponents of the monomials of fk (b4 ). One can verify that the polynomials fk (b4 ) ∈ Q(r, s, t)[b4 ] all have Galois group (Z3 × Z3 ) Z∗3 , but the action of Z∗3 originates from a cubic root of unity, and their √ √ Galois groups over Q(r, s, t, ζ3 ) are thus Z3 ×Z3 . Writing α1 = 3 r1 , α2 = 3 r2 , α3 = √ 3 r3 , it turns out that they split completely when extending the field Q(r, s, t, ζ3 ) with {α1 , α2 }, {α1 , α3 }, {α2 , α3 } or {α1 α2 , α1 α3 }. All roots of one specific fk (b4 ) can be obtained from a single given root, by scaling the cubic roots with powers of ζ3 . On the level of divisors, these associated roots correspond to adding a linear combination of T1 and T2 . More precisely, if xk denotes a root of fk (b4 ), we can make the following identification: x1 (ζ3i α1 , ζ3j α2 ) ←→ T3 + iT1 + jT2 for 0 ≤ i, j ≤ 2, x2 (ζ3i α1 , ζ3j α3 ) ←→ T4 + iT1 + jT2 for 0 ≤ i, j ≤ 2, x3 (ζ3i α2 , ζ3j α2 ) ←→ T3 + T4 + iT1 + jT2 for 0 ≤ i, j ≤ 2, x4 (ζ3i α1 α2 , ζ3j α1 α3 ) ←→ T3 − T4 + iT1 + jT2 for 0 ≤ i, j ≤ 2, for any T3 , T4 that extend T1 , T2 to a basis of Jr s t [3]. This correspondence can be seen from the fact that all fk (b4 ) split over different fields, yet T1 and T2 are rational over the ground field. Furthermore, for any fixed choice of i, j, k ∈ {0, 1, 2}, any two distinct divisors from this correspondence coinciding with the choice of ζ3i α1 , ζ3j α2 , ζ3k α3 generate a (3, 3)-subgroup that intersects T1 , T2 trivially. Hence, to find the 27 (up to sign) distinct b4 that correspond to a (3, 3)-subgroup which (−3)
13 Performing a straightforward Gr¨ obner basis computation in Q[r, s, t, b1 , . . . , b7 ] will quickly result in memory issues. Instead, one can first transform Fr s t to the more generic form x6 + obner ax4 +bx3 +cx2 +dx+e to suppress the high degrees of r , s , t . Next, one can compute the Gr¨ basis over Fp [a, b, c, d, e, b1 , . . . , b7 ] for many p, then lift the solution to Q[a, b, c, d, e, b1 , . . . , b7 ] with the Chinese remainder theorem.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
MULTIRADICAL ISOGENIES
81
is the kernel of a good extension relative to the original isogeny, it suffices to scale the radicands with cubic roots of unity. In the appendix, we have included two expressions for b4 which we believe are the easiest amongst the b4 in terms of arithmetic. Alternatively, the formulae can also be extracted from the code of our hash function from Section 6, which can be found in our online repository at https://github.com/KULeuven-COSIC/ Multiradical-Isogenies. One can derive closed algebraic expressions for bi in function of b4 for i ∈ {1, 2, 3, 5, 6, 7}. However, in practice, it is more efficient to only partially do this for the easier expressions, and the remainder by means of a small Gr¨ obner basis computation. Finding the 27 distinct pairs of tuples (b1 , . . . , b7 ) corresponding to good extensions is done by simply scaling the radicands in the expressions of the b4 with cubic roots of unity before computing the rest of the bi . √ Remark 5.6. Observe that our formulae involve a factor −3 (called twist), but this factor disappears when considering the corresponding Mumford coordinates. Iterated application. Using this new (3, 3)-subgroup T3 , T4 as kernel for a new isogeny is easiest if we first transform Cr s t into an isomorphic curve CRST , where T3 and T4 have now taken the role of the T1 and T2 from Section 5.1 again. This isomorphism allows us to only need to perform the rational transformation ψ0 (R, S, T ) from Proposition 5.1 to compute the next isogenous curve. To find this isomorphism, one can use the construction of [5] that has been implemented in Magma in [22]. This construction makes use of somewhat expensive field extensions though, and in practice, a Gr¨ obner basis computation is more efficient. 6. Hash function from (3, 3)-isogenies We can use the (3, 3)-isogenies from the previous section to construct a hash function similar to the hash function from [9]. We start by describing a general outline, then present a more in-depth discussion regarding choices that must be made. 6.1. The graph Gp . For a large prime p, we denote the (directed multi-)graph Gp,3,2 from Section 2.5 as Gp and recall its construction. The vertices are all the Fp2 -isomorphism classes of superspecial p.p. abelian surfaces, which can always be defined over Fp2 . In practice we assume p ≡ 2 mod 3 and work with representants A/Fp2 on which Frobenius acts as multiplication with −p; see [2]. A consequence of this choice is that A[3] ⊆ A(Fp2 ); indeed, on 3-torsion points Frobenius acts as multiplication by −p ≡ 1 mod 3. The edges are all possible (3, 3)-isogenies between these p.p. abelian surfaces (in the sense of Section 2.5), where multiplicities need to be taken into account. Given that only the superspecial surfaces are considered, the graph Gp is a directed 40-regular finite multigraph. In order to hash a given message in this graph, we first choose an arbitrary — yet fixed — starting vertex. Next, we order the 40 outgoing edges from this vertex according to some fixed order (e.g., lexicographic), and choose the first 27 to continue with. The message that needs to be hashed is then converted into a base-3 number, of which the digits are called trits. We choose to walk along the edge that corresponds to the three least significant trits of the message towards the next vertex. At this vertex, we consider the 27 outgoing edges that correspond to (3, 3)-isogenies whose kernel intersect the kernel of the dual of the previous isogeny trivially. Now we follow the edge that
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
82
WOUTER CASTRYCK AND THOMAS DECRU
corresponds to the next three trits of the message. By excluding the other 13 (3, 3)isogenies, we avoid trivial cycles in our path by not (partially or fully) backtracking. This process is repeated until the entire message has been hashed. As output, an invariant of the resulting p.p. abelian surface is then returned. Given that we will have to compute cubic roots in the computations, p should ideally be chosen such that the valuation of p2 − 1 at 3 is 1 in order to speed up the computations. In combination with our assumption p ≡ 2 mod 3, this means we want p ≡ 2, 5 mod 9. Of course, we want p large enough to provide ample security. The graph Gp was proven to be connected, see for example [31, Thm. 43]. Even though the graph is not Ramanujan, in the (2, 2)-case it still exhibits strong expander properties so we assume this to be the case for (3, 3)-isogenies as well. The set of edges of the graph is of size O(p3 ), of which the majority consists of p.p. abelian surfaces corresponding to Jacobians of genus-2 curves, and only O(p2 ) corresponding to products of elliptic curves. √ Remark 6.1. Since p2 ≡ 1 mod 3 we have −3 ∈ Fp2 . Consequently, we can ignore the twisting factor −3 from Proposition 5.1 and identify Jrst /T1 , T√ 2 with Jr s t . This comes at the (negligible) expense of carrying an extra factor −3 in our multiradical isogeny formulae (called twist in our code); see Remark 5.6. 6.2. Starting p.p. abelian surface. It is still an open problem whether one can generate a supersingular elliptic curve over a large prime field in reasonable time without knowing its endomorphism ring. This knowledge can in fact compromise the security of the associated cryptographic protocols, see for example [18]. Even though this has not been explicitly written down yet for superspecial p.p. abelian surfaces, it is not too far-fetched to assume the knowledge of its endomorphism ring can pose similar security risks. On the same note, it is not known how to generate a genus-2 curve over a large prime field whose Jacobian is superspecial in reasonable time without knowing its endomorphism ring. Some exceptional curves are known, see for example [29, §1]. Note that all of these are curves with many automorphisms, possibly leading to small collisions at the start of the hash function. Therefore, a better starting vertex in our graph should be obtained by taking a long enough random walk in the graph starting from one of these exceptional cases. Given that the isomorphism classes corresponding to products of elliptic curves represent a negligible proportion of vertices in Gp for cryptographically large p, we can assume our starting vertex to be the Jacobian of a genus-2 curve. Furthermore, we are interested in only 27 of the 40 (3, 3)-subgroups of this Jacobian. Hence our starting point can be chosen as an (r, s, t)-parametrization from Section 5.1, where the 27 (3, 3)-subgroups correspond precisely to those that intersect the (3, 3)-subgroup determined by the (r, s, t)-parametrization trivially. Making this choice can be seen as having performed a step 0 in the hash function, where the kernel of the dual isogeny corresponding to this step is determined by this (r, s, t)-parametrization. 6.3. Genus-2 curves versus products of elliptic curves. Vertices corresponding to the Jacobians of genus-2 curves or the product of two elliptic curves will of course need to be handled differently with regard to computing the next edge in our walk. Apart from this internal code distinction, it is more user-friendly for a hash function to have a fixed size as output. The isomorphism class of the Jacobians of genus-2 curves can be classified by their absolute Igusa invariants, which
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
MULTIRADICAL ISOGENIES
83
are ordered triplets of elements in Fp2 , whereas products of elliptic curves are completely determined by an unordered pair of j-invariants in Fp2 . In order to unify these two types of invariants in one output, we first note that the number of possible output values is only 3 log p, and not 6 log p as the absolute Igusa invariants may suggest. If the application for the hash function is not impeded by taking values in a set that is sparse in a much larger set, one can apply the following method during the hashing. Whenever we arrive at a vertex corresponding to a product of elliptic curves, we (deterministically) take one more step in the graph without processing information, to a vertex corresponding to the Jacobian of a genus-2 curve again. Alternatively, if one only wants an output of the same length as there is entropy, one needs to choose a function to reduce both the absolute Igusa invariants as well as the pair of j-invariants to something of size 3 log p. 6.4. Implementation. We implemented our (3, 3)-hash function in Magma (version 2.26-1) and ran it on an Intel(R) Xeon(R) CPU E5-2630 v2 @ 2.60GHz with 128 GB of memory. For every prime size considered we averaged the computation times over 100 random inputs of 1000 bits. A summary of our timed results can be found in the following table, where we included the timings of the (2, 2)-hash function from [9] for comparison. The security claims in the table are the same as in [9, §7.4] and to the best of our knowledge, no advancements have been made in that area. In particular, the best known classical attack is based on the general Pollard-ρ attack, whereas the best known quantum attack is based on Grover’s claw-finding algorithm. p ≈ 286 p ≈ 2128 p ≈ 2171 p ≈ 2256 bits of classical security 128 192 256 384 bits of quantum security 86 128 170 256 output bits 516 768 1026 1536 time per bit processed (2, 2) 5.01ms 6.52ms 9.33ms 15.70ms time per bit processed (3, 3) (this work) 4.70ms 4.87ms 5.54ms 6.36ms To understand why the (3, 3)-hash function scales much better than the (2, 2)hash function, we take a look at the decomposition of the computation cost in the following table. 1) 2) 3) 4) 5)
p ≈ 286 p ≈ 2128 p ≈ 2171 p ≈ 2256 Tate pairings (cubic roots) 7.0% 8.5% 11.2% 14.3% Compute b4 ’s (arithmetic) 20.5% 18.9% 18.9% 17.0% Find other bi ’s (two GCD’s) 16.4% 15.9% 15.8% 15.2% Reparametrize r, s, t (Gr¨obner basis) 54.6% 55.3% 52.7% 52.2% Isogenous curve (arithmetic) 1.5% 1.4% 1.4% 1.3%
As p grows, the degrees of the polynomials involved in steps 3 and 4 in this table don’t change, hence the complexity of these steps depends only on the arithmetic of the field Fp2 . Asymptotically, root finding over finite fields Fp2 for large p, e.g., with the Tonelli–Shanks algorithm, scales a lot worse than addition and multiplication. Therefore, in the (3, 3)-hash function step 1 in the table takes up a larger relative amount of work as p grows. For p large enough, this part of the computation will dominate the total cost. In the (2, 2)-hash function on the other hand, the computation is already heavily dominated by the three (square) roots for small p, with only a handful of basic arithmetic operations.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
84
WOUTER CASTRYCK AND THOMAS DECRU
Furthermore, the valuation of p2 − 1 at N determines the complexity of finding an N th root of an element in Fp2 , see for instance [17, Thm. 1]. One can choose p such that 9 p2 − 1 but at the very least we always have 8 | p2 − 1, which means cubic roots can be computed significantly faster than square roots. In practice, Magma can compute cubic roots over Fp2 faster than square roots with a factor of about 2.7 for large enough p. Additionally, for every three computed roots, the (3, 3)-hash function can process 3 trits, whereas the (2, 2)-hash function can only process 3 bits. Asymptotically we can thus expect the (3, 3)-hash function to outperform the (2, 2)-hash function by a total factor of 2.7 · (3/2)3 ≈ 9. For Fp2 with p = 21024 + 643 for example, we see that (2, 2)-hashing a 100-bit message takes about 20.4 seconds, whereas (3, 3)-hashing a 100-bit message takes about 2.26 seconds. Appendix: code for 3-torsion The following is the Magma code that accompanies Section 5.2. The formulae can be extracted as part of the hash function code found in our online repository at https://github.com/KULeuven-COSIC/Multiradical-Isogenies, but we deem the formulae important enough to be displayed in the appendix as well. The variables r,s,t in the code represent the domain of the (3, 3)-isogeny, whereas R,S,T represent the codomain.14 The variables a,b,c represent cubic roots of factors of the Tate pairings. The variables b4ab and b4bc represent solutions for b4 in (5.2). Note that we work with b4 instead of b5 since in practice we want to be able to distinguish between a divisor and its opposite. From these two solutions obner basis to find solutions for the other coefficients bi . for b4 , we compute a Gr¨ Note that the formulae are general, but Magma struggles to work over a degree54 extension of a function field in 3 variables. Hence, to make the code work standalone, we opted to work with a concrete example where (R, S, T ) = (2, 5, −3). To verify the formulae in general, one works over Q(R, S, T ) and adjoin only the cubic roots a,b, for example. Then, one checks that one of the degree-18 factors from the minimal polynomial of b4 coincides with the product 3i=1 3j=1 (x2 − b4 (ζ3i a, ζ3j b)), where the product ranges over all possible cubic roots a,b. clear; Q := Rationals(); R := 2; S := 5; T := -3; Qx := PolynomialRing(Q); Q := ext; Qx := PolynomialRing(Q); D1 := T; D2 := S; D3 := S*T + 1; D4 := R^3 - 3*R*T + T^2 + T; D5 := R^3*S - 3*R*S*T + S*T^2 + S*T + T; D8 := R^2 - T; D9 := R - 1; D10 := R*S - S*T - 1; D11 := S*T - S + 1; DELTA := R^6*S^2 - 6*R^4*S^2*T - 3*R^4*S + 2*R^3*S^2*T^2 + 2*R^3*S^2*T + 3*R^3*S*T + R^3*S + R^3 + 9*R^2*S^2*T^2 + 6*R^2*S*T - 6*R*S^2*T^3 - 6*R*S^2*T^2 - 9*R*S*T^2 - 3*R*S*T - 3*R*T + S^2*T^4 + 2*S^2*T^3 + S^2*T^2 + 2*S*T^3 + 3*S*T^2 + T^2 + T; 14 Remark that we want the codomain curve to have small integer parameters, so in the code these are defined first, after which we use the dual isogeny to compute the more elaborate rational parameters of the domain curve.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
MULTIRADICAL ISOGENIES
r := -D2*D9*D8*(D5-R)/(D10^2*D4); s := D10^3*D4^2/(D1*D2*D9^3*DELTA); t := D2^2*D9^3*D8^3/(D10^3*D4^2); d1 d2 d4 d6 d7
:= := := := :=
t; s; r^3 - 3*r*t + t^2 + t; r^3*s^2 - 3*r*s^2*t - 3*r*s + s^2*t^2 + s^2*t + 2*s*t + s + 1; r^3*s^2*t + r^3*s - 3*r*s^2*t^2 - 3*r*s*t + s^2*t^3 + s^2*t^2 + 2*s*t^2 + t;
Q := ext; Q := ext; Q := ext; cofab1 cofab2 cofab3 cofab4 cofab5 cofab6 cofab7 cofab8 cofab9
:= := := := := := := := :=
D1^2 D1^2 D1 D1^2 D1 D1 *D3 D1^2 D1
cofab1 cofab2 cofab3 cofab4 cofab5 cofab6 cofab7 cofab8 cofab9
*:= *:= *:= *:= *:= *:= *:= *:= *:=
*D4^4 *D10^8 /(D2^3*D8^6*D9^2*DELTA^2); *D4^4*D8 *D10^7 *D11 /(D2^2*D8^6*D9^2*DELTA^2); *D4^4*D8^2*D10^6 /(D2 *D8^6*D9^2*DELTA^2); *D4^2* D10^5 *D11 /(D2^2*D8^4*D9 *DELTA); *D4^2*D8* D10^4 /(D2 *D8^4*D9 *DELTA); *D4^2*D8^2*D10^3 /( D8^4*D9 *DELTA); *D10^2 / D8^2; *D10 / D8; D11;
-6*S*T-2; -2; 6*S*T+4; 2; -6*S*T-2; -6; 6; 6*S*T+4; 2*S*T+1;
b4ab := twist* ((cofab9 + cofab8*a + cofab7*a^2) + (cofab6 + cofab5*a + cofab4*a^2)*b + (cofab3 + cofab2*a + cofab1*a^2)*b^2); cofbc1 cofbc2 cofbc3 cofbc4 cofbc5 cofbc6 cofbc7 cofbc8 cofbc9
:= := := := := := := := :=
1 /(D2 *D4^3); D1^2 *D9 *D10 /(D2 *D4^3 *D8); D1^3 *D9^2*D10^2 /(D2 *D4^3*D5 *D8^2); D1 *D10^3 /(D2^2*D4 *D8^2*D9 *DELTA); D1^2 *D10^4 /(D2^2*D4 *D8^3 *DELTA); D1^3 *D9 *D10^5 /(D2^2*D4 *D5 *D8^4 *DELTA); D1 *D4 *D10^6 /(D2^3 *D8^4*D9^2*DELTA^2); D1^2*D4 *D10^7 /(D2^3 *D8^5*D9 *DELTA^2); D1^4*D4 *D10^8 /(D2^3 *D5 *D8^6 *DELTA^2);
cofbc1 *:= R^9*S^2*T + R^9*S^2 - R^9*S - 6*R^8*S^2*T - 3*R^7*S^2*T^2 - 3*R^7*S^2*T - 5*R^7*S*T + R^6*S^2*T^3 + 40*R^6*S^2*T^2 + R^6*S^2*T + 13*R^6*S*T^2 + 13*R^6*S*T - 2*R^6*T - 21*R^5*S^2*T^3 - 21*R^5*S^2*T^2 + 3*R^5*S*T^2 + 6*R^4*S^2*T^4 - 54*R^4*S^2*T^3 + 6*R^4*S^2*T^2 - 52*R^4*S*T^3 - 52*R^4*S*T^2 - 6*R^4*T^2 - R^3*S^2*T^5 + 64*R^3*S^2*T^4 + 64*R^3*S^2*T^3 - R^3*S^2*T^2 + 11*R^3*S*T^4 + 103*R^3*S*T^3 + 11*R^3*S*T^2 + 14*R^3*T^3 + 14*R^3*T^2 - 33*R^2*S^2*T^5 - 48*R^2*S^2*T^4 - 33*R^2*S^2*T^3 - 15*R^2*S*T^4 - 15*R^2*S*T^3 - 18*R^2*T^3 + 9*R*S^2*T^6 + 15*R*S^2*T^5 + 15*R*S^2*T^4 + 9*R*S^2*T^3 + 7*R*S*T^5 - 40*R*S*T^4 + 7*R*S*T^3 - 6*R*T^4 - 6*R*T^3 - S^2*T^7 - 2*S^2*T^6 - 2*S^2*T^5 - 2*S^2*T^4 - S^2*T^3 - 3*S*T^6 + 9*S*T^5 + 9*S*T^4 - 3*S*T^3 - 2*T^5 + 14*T^4 - 2*T^3; cofbc2 *:= -2*R^7*S + 8*R^6*S - 6*R^5*S + 6*R^5 + 2*R^4*S*T^2 - 22*R^4*S*T - 12*R^4*T + 22*R^3*S*T^2 + 28*R^3*S*T + 6*R^3*T - 18*R^2*S*T^3 - 24*R^2*S*T^2 - 6*R^2*S*T + 6*R^2*T^2 - 12*R^2*T + 4*R*S*T^4 + 20*R*S*T^3 - 2*R*S*T^2 + 6*R*T^3 + 6*R*T^2 4*S*T^4 - 2*S*T^3 + 2*S*T^2 - 12*T^3 + 6*T^2; cofbc3 *:= 2*R^8*S - 6*R^7*S + 4*R^6*S*T - 8*R^5*S*T^2 + 16*R^5*S*T + 6*R^5*T - 30*R^4*S*T^2 - 12*R^4*T + 44*R^3*S*T^3 + 14*R^3*S*T^2 + 6*R^3*T^2 - 10*R^2*S*T^4 - 32*R^2*S*T^3 - 22*R^2*S*T^2 - 12*R^2*T^3 + 6*R^2*T^2 - 6*R*S*T^4 + 36*R*S*T^3 + 6*R*S*T^2 + 6*R*T^3 + 6*R*T^2 + 4*S*T^5 - 4*S*T^4 - 8*S*T^3 + 6*T^4 - 12*T^3; cofbc4 *:= 2*R^9*S^2 - 2*R^8*S^2*T - 4*R^8*S^2 + 4*R^8*S - 8*R^7*S^2*T + 2*R^7*S^2 - 10*R^7*S + 16*R^6*S^2*T^2 + 26*R^6*S^2*T - 4*R^5*S^2*T^3 - 18*R^5*S^2*T^2 - 20*R^5*S^2*T - 10*R^5*S*T^2 + 32*R^5*S*T + 6*R^5*T - 22*R^4*S^2*T^3 - 24*R^4*S^2*T^2 + 4*R^4*S^2*T - 38*R^4*S*T^2 - 2*R^4*S*T - 12*R^4*T + 14*R^3*S^2*T^4 + 72*R^3*S^2*T^3 + 40*R^3*S^2*T^2 + 60*R^3*S*T^3 + 6*R^3*S*T^2 + 6*R^3*T^2 - 2*R^2*S^2*T^5 - 32*R^2*S^2*T^4 - 64*R^2*S^2*T^3 - 16*R^2*S^2*T^2 - 14*R^2*S*T^4 - 40*R^2*S*T^3 - 26*R^2*S*T^2 - 12*R^2*T^3 + 6*R^2*T^2 + 4*R*S^2*T^5 + 22*R*S^2*T^4 + 20*R*S^2*T^3 + 2*R*S^2*T^2 - 10*R*S*T^4 + 52*R*S*T^3 + 8*R*S*T^2 + 6*R*T^3 + 6*R*T^2 - 2*S^2*T^5 - 4*S^2*T^4 - 2*S^2*T^3 + 6*S*T^5
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
85
86
WOUTER CASTRYCK AND THOMAS DECRU
- 6*S*T^4 - 12*S*T^3 + 6*T^4 - 12*T^3; cofbc5 *:= -2*R^7*S + 4*R^6*S*T + 4*R^6*S - 2*R^6 - 6*R^5*S*T - 10*R^4*S*T^2 - 10*R^4*S*T - 6*R^4*T + 2*R^3*S*T^3 + 46*R^3*S*T^2 + 2*R^3*S*T + 14*R^3*T^2 + 14*R^3*T - 24*R^2*S*T^3 - 24*R^2*S*T^2 - 18*R^2*T^2 + 10*R*S*T^4 + 2*R*S*T^3 + 10*R*S*T^2 - 6*R*T^3 - 6*R*T^2 - 2*S*T^5 - 2*S*T^2 - 2*T^4 + 14*T^3 - 2*T^2; cofbc6 *:= 2*R^8*S - 6*R^7*S*T + 4*R^6*S*T + 16*R^5*S*T^2 - 8*R^5*S*T + 6*R^5*T - 30*R^4*S*T^2 - 12*R^4*T^2 + 14*R^3*S*T^3 + 44*R^3*S*T^2 + 6*R^3*T^2 - 22*R^2*S*T^4 - 32*R^2*S*T^3 - 10*R^2*S*T^2 + 6*R^2*T^3 - 12*R^2*T^2 + 6*R*S*T^5 + 36*R*S*T^4 - 6*R*S*T^3 + 6*R*T^4 + 6*R*T^3 - 8*S*T^5 - 4*S*T^4 + 4*S*T^3 - 12*T^4 + 6*T^3; cofbc7 *:= 2*R^9*S^2 - 4*R^8*S^2*T - 2*R^8*S^2 + 4*R^8*S + 2*R^7*S^2*T^2 - 8*R^7*S^2*T - 10*R^7*S*T + 26*R^6*S^2*T^2 + 16*R^6*S^2*T - 20*R^5*S^2*T^3 - 18*R^5*S^2*T^2 - 4*R^5*S^2*T + 32*R^5*S*T^2 - 10*R^5*S*T + 6*R^5*T + 4*R^4*S^2*T^4 - 24*R^4*S^2*T^3 - 22*R^4*S^2*T^2 - 2*R^4*S*T^3 - 38*R^4*S*T^2 - 12*R^4*T^2 + 40*R^3*S^2*T^4 + 72*R^3*S^2*T^3 + 14*R^3*S^2*T^2 + 6*R^3*S*T^3 + 60*R^3*S*T^2 + 6*R^3*T^2 - 16*R^2*S^2*T^5 - 64*R^2*S^2*T^4 - 32*R^2*S^2*T^3 - 2*R^2*S^2*T^2 - 26*R^2*S*T^4 - 40*R^2*S*T^3 - 14*R^2*S*T^2 + 6*R^2*T^3 - 12*R^2*T^2 + 2*R*S^2*T^6 + 20*R*S^2*T^5 + 22*R*S^2*T^4 + 4*R*S^2*T^3 + 8*R*S*T^5 + 52*R*S*T^4 - 10*R*S*T^3 + 6*R*T^4 + 6*R*T^3 - 2*S^2*T^6 - 4*S^2*T^5 - 2*S^2*T^4 - 12*S*T^5 - 6*S*T^4 + 6*S*T^3 - 12*T^4 + 6*T^3; cofbc8 *:= -2*R^7*S + 8*R^6*S*T - 6*R^5*S*T^2 + 6*R^5*T - 22*R^4*S*T^2 + 2*R^4*S*T - 12*R^4*T + 28*R^3*S*T^3 + 22*R^3*S*T^2 + 6*R^3*T^2 - 6*R^2*S*T^4 - 24*R^2*S*T^3 - 18*R^2*S*T^2 - 12*R^2*T^3 + 6*R^2*T^2 - 2*R*S*T^4 + 20*R*S*T^3 + 4*R*S*T^2 + 6*R*T^3 + 6*R*T^2 + 2*S*T^5 - 2*S*T^4 - 4*S*T^3 + 6*T^4 - 12*T^3; cofbc9 *:= -8*R^7*S + 10*R^6*S*T + 10*R^6*S - 2*R^6 + 12*R^5*S*T - 40*R^4*S*T^2 - 40*R^4*S*T - 6*R^4*T + 8*R^3*S*T^3 + 64*R^3*S*T^2 + 8*R^3*S*T + 14*R^3*T^2 + 14*R^3*T - 6*R^2*S*T^3 - 6*R^2*S*T^2 - 18*R^2*T^2 + 4*R*S*T^4 - 28*R*S*T^3 + 4*R*S*T^2 - 6*R*T^3 - 6*R*T^2 - 2*S*T^5 + 6*S*T^4 + 6*S*T^3 - 2*S*T^2 - 2*T^4 + 14*T^3 - 2*T^2; b4bc := twist* ((cofbc1 + cofbc2*c + cofbc3*c^2) + (cofbc4 + cofbc5*c + cofbc6*c^2)*b + (cofbc7 + cofbc8*c + cofbc9*c^2)*b^2); Qbi := PolynomialRing(Q,6); Qx := PolynomialRing(Qbi); H1 := x^2 + R*x + T; lambda1 := 4*S; G1 := (S - S*T - 1)*x^3 + 3*S*(R - T)*x^2 + 3*S*R*(R - T)*x - S*T^2 + S*R^3 + T; F := G1^2 + lambda1*H1^3; bis := []; for b4 in [b4ab,b4bc] do Fbi := (b4*x^3 + b3*x^2 + b2*x + b1)^2 + b7*(x^2 + b6*x + b5)^3; I := {Eltseq(F)[i] - Eltseq(Fbi)[i] : i in [1..7]}; GB := GroebnerBasis(I); roots := [Roots(UnivariatePolynomial(GB[i]))[1][1] : i in [1..6]]; bi := roots[1..3] cat [b4] cat roots[4..6]; Append(~bis, bi); end for; C := HyperellipticCurve(F); J := Jacobian(C); for bi in bis do T := J ! [Qx ! (bi[5..6] cat [1]), Qx ! bi[1..4]]; assert 3*T eq J ! 0; end for;
Acknowledgments We thank Marc Houben, Frederik Vercauteren and the anonymous referees for several helpful remarks. References [1] Iurie Boreico, My favorite problem – linear independence of radicals, The Harvard College Mathematics Review, vol. 2, 2008, pp. 87–92. [2] Bradley Wayne Brock, Superspecial curves of genera two and three, ProQuest LLC, Ann Arbor, MI, 1993. Thesis (Ph.D.)–Princeton University. MR2689446
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
MULTIRADICAL ISOGENIES
87
[3] Reinier Br¨ oker, Everett W. Howe, Kristin E. Lauter, and Peter Stevenhagen, Genus-2 curves and Jacobians with a given number of points, LMS J. Comput. Math. 18 (2015), no. 1, 170–197, DOI 10.1112/S1461157014000461. MR3349314 [4] Nils Bruin and Kevin Doerksen, The arithmetic of genus two curves with (4, 4)-split Jacobians, Canad. J. Math. 63 (2011), no. 5, 992–1024, DOI 10.4153/CJM-2011-039-3. MR2866068 [5] Nils Bruin, E. Victor Flynn, and Damiano Testa, Descent via (3, 3)-isogeny on Jacobians of genus 2 curves, Acta Arith. 165 (2014), no. 3, 201–223, DOI 10.4064/aa165-3-1. MR3263947 [6] Peter Bruin, The Tate pairing for Abelian varieties over finite fields (English, with English and French summaries), J. Th´ eor. Nombres Bordeaux 23 (2011), no. 2, 323–328. MR2817932 [7] Frank Calegari, Shiva Chidambaram, and David P. Roberts, Abelian surfaces with fixed 3-torsion, ANTS XIV—Proceedings of the Fourteenth Algorithmic Number Theory Symposium, Open Book Ser., vol. 4, Math. Sci. Publ., Berkeley, CA, 2020, pp. 91–108, DOI 10.2140/obs.2020.4.91. MR4235108 [8] David G. Cantor, On the analogue of the division polynomials for hyperelliptic curves, J. Reine Angew. Math. 447 (1994), 91–145, DOI 10.1515/crll.1994.447.91. MR1263171 [9] Wouter Castryck, Thomas Decru, and Benjamin Smith, Hash functions from superspecial genus-2 curves using Richelot isogenies, J. Math. Cryptol. 14 (2020), no. 1, 268–292, DOI 10.1515/jmc-2019-0021. MR4134760 [10] Wouter Castryck, Thomas Decru, and Frederik Vercauteren, Radical isogenies, Advances in cryptology—ASIACRYPT 2020. Part II, Lecture Notes in Comput. Sci., vol. 12492, Springer, c Cham, [2020] 2020, pp. 493–519, DOI 10.1007/978-3-030-64834-3 17. MR4210348 [11] Wouter Castryck, Tanja Lange, Chloe Martindale, Lorenz Panny, and Joost Renes, CSIDH: an efficient post-quantum commutative group action, Advances in cryptology—ASIACRYPT 2018. Part III, Lecture Notes in Comput. Sci., vol. 11274, Springer, Cham, 2018, pp. 395–427, DOI 10.1007/978-3-030-03332-3 15. MR3897883 [12] Denis X. Charles, Kristin E. Lauter, and Eyal Z. Goren, Cryptographic hash functions from expander graphs, J. Cryptology 22 (2009), no. 1, 93–113, DOI 10.1007/s00145-007-9002-x. MR2496385 [13] Daniel Coray and Constantin Manoil, On large Picard groups and the Hasse principle for curves and K3 surfaces, Acta Arith. 76 (1996), no. 2, 165–189, DOI 10.4064/aa-76-2-165-189. MR1393513 [14] Jean-Marc Couveignes, Hard homogeneous spaces, Cryptology ePrint Archive, available at https://eprint.iacr.org/2006/291, 2006. [15] P. Deligne and M. Rapoport, Les sch´ emas de modules de courbes elliptiques (French), Modular functions of one variable, II (Proc. Internat. Summer School, Univ. Antwerp, Antwerp, 1972), Springer, Berlin, 1973, pp. 143–316. Lecture Notes in Math., Vol. 349. MR0337993 [16] Martin Djukanovi´ c, Families of (3, 3)-split jacobians, Cornell University arXiv, available at arXiv:1811.10075, 2018. ´ [17] Javad Doliskani and Eric Schost, Taking roots over high extensions of finite fields, Math. Comp. 83 (2014), no. 285, 435–446, DOI 10.1090/S0025-5718-2013-02715-9. MR3120598 [18] Kirsten Eisentr¨ ager, Sean Hallgren, Kristin Lauter, Travis Morrison, and Christophe Petit, Supersingular isogeny graphs and endomorphism rings: reductions and solutions, Advances in cryptology—EUROCRYPT 2018. Part III, Lecture Notes in Comput. Sci., vol. 10822, Springer, Cham, 2018, pp. 329–368, DOI 10.1007/978-3-319-78372-7 11. MR3794837 [19] Gerd Faltings and Ching-Li Chai, Degeneration of abelian varieties, Ergebnisse der Mathematik und ihrer Grenzgebiete (3) [Results in Mathematics and Related Areas (3)], vol. 22, Springer-Verlag, Berlin, 1990. With an appendix by David Mumford, DOI 10.1007/978-3662-02632-8. MR1083353 [20] Enric Florit and Benjamin Smith, Automorphisms and isogeny graphs of abelian varieties, with applications to the superspecial Richelot isogeny graph, Cornell University arXiv, available at arXiv:2101.00919, 2020. [21] E. V. Flynn, Descent via (5, 5)-isogeny on Jacobians of genus 2 curves, J. Number Theory 153 (2015), 270–282, DOI 10.1016/j.jnt.2015.01.018. MR3327574 [22] E. V. Flynn and Yan Bo Ti, Genus two isogeny cryptography, Post-quantum cryptography, Lecture Notes in Comput. Sci., vol. 11505, Springer, Cham, 2019, pp. 286–306, DOI 10.1007/978-3-030-25510-7 16. MR3989010
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
88
WOUTER CASTRYCK AND THOMAS DECRU
[23] Gerhard Frey and Ernst Kani, Curves of genus 2 covering elliptic curves and an arithmetical application, Arithmetic algebraic geometry (Texel, 1989), Progr. Math., vol. 89, Birkh¨ auser Boston, Boston, MA, 1991, pp. 153–176. MR1085258 [24] Gerhard Frey and Hans-Georg R¨ uck, A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves, Math. Comp. 62 (1994), no. 206, 865–874, DOI 10.2307/2153546. MR1218343 [25] Steven D. Galbraith, Sachar Paulus, and Nigel P. Smart, Arithmetic on superelliptic curves, Mathematics of Computation 71 (2002), no. 237, 393–405, (The cited theorem refers to a preliminary version of this paper, published as Hewlett-Packard Labs technical report HPL98-179, available at https://www.hpl.hp.com/techreports/98/HPL-98-179.pdf). ´ Schost, Modular equations for hyperelliptic curves, Math. Comp. 74 (2005), [26] P. Gaudry and E. no. 249, 429–454, DOI 10.1090/S0025-5718-04-01682-5. MR2085901 [27] Genevieve Hanlon, Counting points in Sp(2n, Fq )/maximal parabolic subgroup, Course notes available at http://www-math.mit.edu/~dav/symplectic_parabolic.pdf, 2005. [28] F. Hess, A note on the Tate pairing of curves over finite fields, Arch. Math. (Basel) 82 (2004), no. 1, 28–32, DOI 10.1007/s00013-003-4773-2. MR2034467 [29] Tomoyoshi Ibukiyama, Toshiyuki Katsura, and Frans Oort, Supersingular curves of genus two and class numbers, Compositio Math. 57 (1986), no. 2, 127–152. MR827350 [30] Sorina Ionica, Pairing-based algorithms for Jacobians of genus 2 curves with maximal endomorphism ring, J. Number Theory 133 (2013), no. 11, 3755–3770, DOI 10.1016/j.jnt.2013.04.023. MR3084299 [31] Bruce W. Jordan and Yevgeni Zaytman, Isogeny graphs of superspecial abelian varieties and Brandt matrices, Cornell University arXiv, available at arXiv:2005.09031, 2021. [32] Ernst Kani, The number of curves of genus two with elliptic differentials, J. Reine Angew. Math. 485 (1997), 93–121, DOI 10.1515/crll.1997.485.93. MR1442190 [33] Robert M. Kuhn, Curves of genus 2 with split Jacobian, Trans. Amer. Math. Soc. 307 (1988), no. 1, 41–49, DOI 10.2307/2000749. MR936803 [34] J. S. Milne, Abelian varieties, Arithmetic geometry (Storrs, Conn., 1984), Springer, New York, 1986, pp. 103–150. MR861974 [35] David Mumford, Abelian varieties, Tata Institute of Fundamental Research Studies in Mathematics, vol. 5, Published for the Tata Institute of Fundamental Research, Bombay; by Hindustan Book Agency, New Delhi, 2008. With appendices by C. P. Ramanujam and Yuri Manin; Corrected reprint of the second (1974) edition. MR2514037 [36] D. Mumford, J. Fogarty, and F. Kirwan, Geometric invariant theory, 3rd ed., Ergebnisse der Mathematik und ihrer Grenzgebiete (2) [Results in Mathematics and Related Areas (2)], vol. 34, Springer-Verlag, Berlin, 1994, DOI 10.1007/978-3-642-57916-5. MR1304906 [37] David E. Rohrlich, Modular curves, Hecke correspondence, and L-functions, Modular forms and Fermat’s last theorem (Boston, MA, 1995), Springer, New York, 1997, pp. 41–100. MR1638476 [38] T. Shaska, Genus 2 fields with degree 3 elliptic subfields, Forum Math. 16 (2004), no. 2, 263–280, DOI 10.1515/form.2004.013. MR2039100 [39] Samir Siksek, Explicit arithmetic of modular curves, Summer school notes, available at https://homepages.warwick.ac.uk/staff/S.Siksek/teaching/modcurves/lecturenotes. pdf, 2019. [40] Benjamin Smith, Explicit endomorphisms and correspondences, Ph.D. thesis, University of Sydney, 2005. [41] The Stacks project authors, The Stacks project, Available at https://stacks.math. columbia.edu, 2021. [42] Anton Stolbunov, Public-key encryption based on cycles of isogenous elliptic curves, Master’s thesis, Saint-Petersburg State Polytechnical University, 2004, In Russian. [43] Marco Streng, Generators of the group of modular units for Γ1 (N ) over the rationals, Cornell University arXiv, available at arXiv:1503.08127v2, 2015. [44] Katsuyuki Takashima, Efficient algorithms for isogeny sequences and their cryptographic applications, Mathematical modelling for next-generation cryptography, Math. Ind. (Tokyo), vol. 29, Springer, Singapore, 2018, pp. 97–114. MR3586863 [45] Jacques V´ elu, Isog´ enies entre courbes elliptiques (French), C. R. Acad. Sci. Paris S´er. A-B 273 (1971), A238–A241. MR294345
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
MULTIRADICAL ISOGENIES
89
Cosic, research group at imec and KU Leuven, Kasteelpark Arenberg 10/2452, 3001 Leuven (Heverlee), Belgium; and Department of Mathematics: Algebra and Geometry, Ghent University, Krijgslaan 281 – S25, 9000 Gent, Belgium Email address: [email protected] Cosic, research group at imec and KU Leuven, Kasteelpark Arenberg 10/2452, 3001 Leuven (Heverlee), Belgium Email address: [email protected]
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
Contemporary Mathematics Volume 779, 2022 https://doi.org/10.1090/conm/779/15677
Arithmetic monodromy groups of dynamical Belyi maps ¨ Ozlem Ejder Abstract. We consider a large family of dynamical Belyi maps of arbitrary degree and study the arithmetic monodromy groups attached to the iterates of such maps. Building on the results of Bouw-Ejder-Karemaker on the geometric monodromy groups of these maps, we show that the quotient of the arithmetic monodromy group by the geometric monodromy group has order either 1 or 2. Prior to this article, a result of this kind was only known for quadratic maps (Pink) and a few examples in degree 3.
1. Introduction P1k
P1k
Let f : → be a rational map of degree d defined over a number field k. For each n ≥ 1, define the n-th iterate of f by f n = f ◦. . .◦f . It was Odoni [Odo85] who first studied the Galois theory of the iterates of f mainly for its applications in dynamical systems. Assume f is postcritically finite (PCF), i.e., the orbit of each critical point is finite. Let P = {f n (x) ∈ P1 (k) : x is a critical point of f and n ≥ 1}. Then the iterates f n are unbranched outside the finite set P . For a point x0 ∈ P1k \P , one can construct a tree T whose leaves are the points in f −n (x0 ) for n ≥ 1. We obtain a representation of the ´etale fundamental group of P1k \P (resp., P1k¯ \P ) inside the automorphism group of the tree T . We call the image of such map the arithmetic (resp., geometric) monodromy group Garith (resp., Ggeom ) of f . See Section 4 for details. For PCF maps, the geometric fundamental group is topologically finitely generated. Pink [Pin13b] [Pin13a] has studied the case d = 2 extensively. He showed that the arithmetic and geometric monodromy groups of the quadratic PCF maps are determined only by the combinatorial data of the postcritical orbit P . Moreover he described the quotient group Garith /Ggeom for quadratic polynomials and quadratic morphisms with infinite postcritical orbit P . Similarly the article [BEK21] determines the Galois groups attached to a large class of Belyi maps of any degree d. A rational map f : P1k → P1k is called a Belyi map if it is branched exactly over {0, 1, ∞}. The authors of [BEK21] show that the geometric monodromy group is again only determined by their combinatorial type for Belyi maps f : P1k → P1k with exactly three ramification points; 0, 1, ∞ which are fixed by f . We call these maps normalized, single cycle genus zero Belyi maps. A dynamical Belyi map is a Belyi map f : P1k → P1k where f ({0, 1, ∞}) ⊂ {0, 1, ∞}. 2020 Mathematics Subject Classification. Primary 11G32, 12F10; Secondary 37P05, 37P15. c 2022 American Mathematical Society
91
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
92
¨ OZLEM EJDER
All maps considered in [BEK21] are all normalized dynamical Belyi maps which are all PCF. This article is essentially a sequel to [BEK21] where a condition is described for the quotient of the arithmetic and the geometric monodromy group of normalized single cycle dynamical Belyi maps to be trivial. This is done by introducing a product discriminant. In this article, we use group theoretical tools to describe the normalizer of the geometric monodromy group inside the automorphism group of the tree T . This helps us bound the size of the quotient group Garith /Ggeom for general single cycle dynamical Belyi maps. In particular we prove Theorem 6.1 which states that the quotient Garith /Ggeom has order at most 2 for all but finitely many of these maps. See also the article [JM14] for the Galois groups of iterates of quadratic maps, [ABC+ 21] for a similar result for f (x) = x2 − 1, [BFH+ 17] for an example in degree 3, and [Jon13] for a fantastic survey on the subject. 2. Automorphism group of T Let d ≥ 3. Let T be the infinite regular d-ary tree whose vertices are the finite words over the alphabet {0, . . . , d − 1}. For any integer n ≥ 1, we let Tn denote the finite rooted subtree whose vertices are the words of length at most n. We will call the set of words of length n the level n of T . We will use the notation W := Aut(T ) and Wn := Aut(Tn ). We embed W d := W × . . . × W into W by identifying the complete subtrees rooted at level one of the tree T with T itself. The image of the embedding W d → W is given by the set of automorphisms acting trivially on the first level. The exact sequence 1 → W d → W → W1 → 1 splits and gives the semi direct product d Sd . W W d Sd and Wn Wn−1
In other words, W and Wn have a wreath product structure: W W Sd and Wn Wn−1 Sd for n ≥ 2. We denote an element of W (resp. Wn ) by (x1 , . . . xd )τ where xi are in W (resp. Wn−1 ) and τ ∈ Sd . We have the following relations in W : (2.1)
(x1 , . . . , xd )(y1 , . . . , yd ) = (x1 y1 , . . . , xd yd ) τ (x1 , . . . , xd ) = (xτ −1 (1) , . . . , xτ −1 (d) )τ
We embed Sd into W by the map τ → (−, . . . , −)τ . We denote the automorphism (−, . . . , −)τ simply by τ in W . Here − denotes the identity. For every m ≤ n, we write πm for the natural projection π m : Wn → Wm , which corresponds to restricting the action of an element of Wn to the subtree Tm consisting of the levels 0, 1, . . . , m. Abusing the notation let πm : W → Wm also denote the natural projection onto the finite level m. We denote the image of an element w under πm as w|Tm . Let G be a subgroup of W . For each n ≥ 1, we define Gn := πn (G) ⊂ Wn . Next we define some subgroups of W which will be essential in Theorem 4.2 where we describe the geometric monodromy groups of dynamical Belyi maps. To define these groups, we first need to define a product sign map on W .
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
ARITHMETIC MONODROMY GROUPS OF DYNAMICAL BELYI MAPS
93
Definition 2.1. Define sgn2 : W2 → {±1} by setting (2.2)
sgn2 ((x1 , . . . , xd )τ ) = sgn(τ )
d %
sgn(xi ).
i=1
Here sgn is the usual sign on W1 via the identification W1 Sd induced by the choice of labeling of the vertices. We define sgn2 := sgn2 ◦π2 : W → {±1}
(2.3)
Note that we abuse the notation and denote the maps W → W2 and Wn → W2 both by π2 . Definition 2.2. (1) Define the subgroup En ⊆ Wn by W1 En = (En−1 E1 ) ∩ ker(sgn2 ) ⊆ Wn
if n = 1, otherwise
and E := lim En ⊆ W ← − n (2) Define the subgroup Un ⊆ Wn as the n-fold iterated wreath product of Ad and U := lim Un ⊆ W ← − n Remark 2.3. Note that it follows from Definition 2.2 that E (E Sd ) ∩ ker(sgn2 ). Let w = (x1 , . . . , xd )τ ∈ E. By definition w|Tn is in En for any n ≥ 1. Hence w|T2 ∈ ker(sgn2 ) and xi|Tn−1 is in En−1 for all i which implies that xi ∈ E for all i ≥ 1. Conversely, let w = (x1 , . . . , xd )τ ∈ W . If xi ∈ E for all i ≥ 1 and w|T2 ∈ ker(sgn2 ), then w|Tn ∈ En and hence w is in E. Similarly, w ∈ U if and only if xi ∈ U for each i and τ ∈ Ad . 3. Belyi Maps A (genus zero) Belyi map is a rational map f : P1C → P1C such that f is branched exactly over x1 = 0, x2 = 1, and x3 = ∞. It is called a dynamical Belyi map if f ({0, 1, ∞}) ⊂ {0, 1, ∞}. Hence the iterates of a dynamical Belyi map are also dynamical Belyi maps. A Belyi map is called single cycle if there is a unique ramification point over each of the three branch points. It is called normalized if f (0) = 0, f (1) = 1, and f (∞) = ∞. Hence a normalized Belyi map is dynamical. The combinatorial type of a single cycle Belyi map is the tuple (d; e1 , e2 , e3 ) where d denotes the degree of f and ei denotes the ramification index of the unique ramification point above each xi . An abstract type is a tuple (d; e1 , e2 , e3 ) such that 2 ≤ e1 ≤ e2 ≤ e3 ≤ d and e1 + e2 + e3 = 2d + 1. For each abstract type C, there exists a unique normalized Belyi map of type C which can be defined over Q. See [ABE+ 18, Proposition 1] for a proof. Notice that a normalized dynamical Belyi map is postcritically finite (PCF), i.e., the orbit of each critical point is finite. In this paper, we will focus on the genus zero, single cycle normalized Belyi maps which form a large class of dynamical Belyi maps.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
¨ OZLEM EJDER
94
4. Monodromy groups of dynamical Belyi maps Let k be a number field. Fix an algebraic closure k¯ of k. Let P = {0, 1, ∞} and let f be a dynamical Belyi map of combinatorial type C defined over k. Let x0 ∈ P1k (k)\P . Then each f n is a connected unramified covering of P1k \P , hence it is determined by the monodromy action of π1e´t (P1k \P, x0 ) on f −n (x0 )) up to isomorphism. Let Tx0 be the tree defined as follows: it is rooted at x0 , the leaves of Tx0 are the points of f −n (x0 ) for all n ≥ 1, and the two leaves p, q are connected if f (p) = q. Varying n, associated monodromy defines a representation ρ : π1e´t (P1k \P, x0 ) → Aut(Tx0 )
(4.1)
whose image we call the arithmetic monodromy group Garith (f ) of f . One can also study this representation over k¯ and obtain π1e´t (P1k¯ \P, x0 ) → Aut(Tx0 ). We call the image of the map in this case the geometric monodromy group Ggeom (f ). We note that these monodromy groups are unique up to conjugation by the elements of Aut(Tx0 ). The arithmetic and the geometric monodromy groups of f fit into an exact sequence as follows: 1
π1e´t (P1k¯ \P, x0 )
π1e´t (P1k \P, x0 )
¯ Gal(k/k)
1
1
Ggeom (f )
Garith (f )
Gal(L/k)
1
(4.2)
for some field extension L of k. Determining this field L or its degree is a fundamental problem. The groups Ggeom and Garith are profinite groups and they are embedded into Aut(Tx0 ) by construction. Let x1 , . . . , xd denote the points in f −1 (x0 ). Then f −(n+1) (x0 ) = f −n (x1 ) ∪ . . . ∪ f −n (xd ). Hence after deleting the root x0 , the tree Tx0 decomposes into the d regular trees Tx1 , . . . , Txd . Let P˜ denote the set f −1 (P ). Then by functoriality, f : P1k \P˜ → P1k \P induces a map on the fundamental groups: (4.3) f∗i : π1e´t (P1k \P˜ , xi ) → π1e´t (P1k \P, x0 ). for any i ∈ {1, . . . , d}. Here we use the notation f∗i to specify the base point xi of π1e´t (P1k \P˜ , xi ). This should not be confused with the i’th iteration of f . Similarly, by functoriality, the inclusion map P1k \P˜ → P1k \P induces the surjective map (4.4) id∗ : π1e´t (P1k \P˜ , xi ) → π1e´t (P1k \P, xi ). for any i ∈ {1, . . . , d}. The action of π1e´t (P1k \P˜ , xi ) on Tx1 through f∗i coincides with its natural action on Txi . That is, the image of the composition of f∗i with (4.1) is exactly the automorphisms in the image of ρ that fix xi . However these automorphisms do not have to fix any of the other xj for j = i. Since we would like to describe the action on the subtrees Txi for all i, we construct the following subgroup:
Fk := {(γ1 , . . . , γd ) ∈
d %
π1e´t (P1k \P˜ , xi ) : ρ ◦ f∗i (γi ) = ρ ◦ f∗j (γj )
i=1
for any i, j ∈ {1, . . . , d}}.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
ARITHMETIC MONODROMY GROUPS OF DYNAMICAL BELYI MAPS
95
Now an automorphism in the image of the composition Fk → π1e´t (P1k \P˜ , xi ) (for any i) and ρ ◦ f i ∗ fixes xi for all i. This action coincides with the natural action of Fk composed with (4.4) on di=1 Txi . This is given in the left upper square of Diagram (4.5). The first vertical isomorphism on the left is obtained by a change of base point from x1 to x0 . We identify the trees Tx0 , Tx1 , . . . , Txd with the regular d-ary tree T introduced earlier. We can do this exactly because x0 ∈ P . ρ
π1e´t (P1k \P, x0 )
Aut(Tx0 )
W
f∗
Aut(Tx1 ) × . . . × Aut(Txd )
Fk
Wd
pr1
(4.5)
π1e´t (P1k \P˜ , x1 )
pr1
π1e´t (P1k \P˜ , x0 )
Aut(Tx1 )
W
id∗
π1e´t (P1k \P, x0 )
Aut(Tx0 )
W
We also note here that a discussion of this kind is given in [Pin13b, pg 20] for rational maps of degree 2. We generalize Pink’s argument to any d here. In the case d = 2, if an automorphism fixes x1 , then it also has to fix x2 . Hence there is no need to define a subgroup Fk and hence Pink only uses π1e´t (P1k \P˜ , x1 ). By the construction of Garith , (4.5) induces a commutative diagram π1e´t (P1k \P, x0 )
ρ
Garith
W
Garith ∩ W d
Wd
f∗
(4.6)
Fk
pr1
pr1
π1e´t (P1k \P, x0 )
Garith
W
¯ We obtain a similar diagram for Ggeom when we replace k by k. π1e´t (P1k¯ \P, x0 )
ρ
Ggeom
W
Ggeom ∩ W d
Wd
f∗
(4.7)
Fk¯ pr1
π1e´t (P1k¯ \P, x0 )
pr1
Ggeom
W
Diagrams (4.6) and (4.7) will be used in the proof of the main theorem in Section 6. For single cycle normalized Belyi maps, the group Ggeom is determined in [BEK21]. Remember the groups E and U are defined in Definition 2.2. We first give an existing result on the geometric monodromy groups of Belyi maps at level one.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
96
¨ OZLEM EJDER
Theorem 4.1 ([LO08, Theorem 5.3]). Let f be a normalized Belyi map of type / {(4; 3, 3, 3), (6; 4, 4, 5)}. C = (d; e1 , e2 , e3 ) ∈ (1) If at least one of the ej is even, then Ggeom (f ) Sd . 1 (f ) A . (2) If all ej are odd, then Ggeom d 1 The next result describes the geometric monodromy group Ggeom for single cycle, normalized dynamical Belyi maps. Theorem 4.2 ([BEK21, Theorem 2.3.1]). Let f be a normalized Belyi map of type C = (d; e1 , e2 , e3 ) ∈ / {(4; 3, 3, 3), (6; 4, 4, 5)}. (1) Assume that at least one of the ej is even. Then Ggeom (f ) E. (2) Assume that ei are all odd. Then Ggeom (f ) U . In the same paper, a criteria for the triviality of the quotient Garith /Ggeom is given. See [BEK21, Corollary 2.4.6]. In this article, we prove that the order of the quotient group Garith /Ggeom is either 1 or 2. As seen in (4.2), Garith can be seen as a subgroup of the normalizer of Ggeom in W . We will study the normalizer of the subgroups E and U in the next section. 5. Normalizer of E and U inside W Let G be either E or U . Let N (G) denote the normalizer of G in W . Given an element x ∈ N (G), we denote its image in the quotient N/G by x (mod G). Proposition 5.1. Let G be one of the groups E or U . Let x = (x1 , . . . , xd )τ ∈ N (G). Then (1) xi is in N (G) for all 1 ≤ i ≤ d. is in G for all 1 ≤ i, j ≤ d. (2) xi x−1 j Proof. Let x = (x1 , . . . , xd )τ ∈ N (G) and let g ∈ G. We will show that xi gx−1 is in G for all 1 ≤ i ≤ d. We will assume i = 1 for simplicity and let i j = τ −1 (1). Let y = (y1 , . . . , yd ) be an element of W such that yj = g and yi = id for i = j. Similarly, let y = (z1 , . . . , zd ) ∈ W with z1 = zj = g and zi = id for i ∈ {1, j}. Since g is in G, either y or y is in G. This only depends on the sign of g|T1 in Sd . Assume y ∈ G. We compute −1 xyx−1 = (x1 , . . . , xd )τ (y1 , . . . , yd )τ −1 (x−1 1 , . . . xd ) −1 = (x1 yτ −1 (1) x−1 1 , . . . , xd yτ −1 (d) xd ).
Since x is in N (G), xyx−1 ∈ G, and by the construction of y, −1 −1 x1 yτ −1 (1) x−1 1 = x1 yj x1 = x1 gx1
is also in G and this finishes the proof of the first claim. Notice that if y ∈ G, then one can use y instead. For the second claim, fix i and j in {1, . . . , d}. We take an element y = σ ∈ G where σ is an even cycle such that τ στ −1 (j) = i. Then −1 xyx−1 = (x1 , . . . , xd )τ στ −1 (x−1 1 , . . . , xd ) −1 = (x1 x−1 τ −1 (1) , . . . , xd xτ −1 (d) )
where τ = τ στ −1 . Since τ −1 (i) = j and xyx−1 ∈ G, we have xi x−1 is in G. j
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
ARITHMETIC MONODROMY GROUPS OF DYNAMICAL BELYI MAPS
97
Remark 5.2. Note that one can replace G and N (G) by Gn and N (G)n in Proposition 5.1 and its proof. Let σ = (12) ∈ Sd . Remember that we embed Sd into W by τ → (−, . . . , −)τ for any τ ∈ Sd . Definition 5.3. For each i ≥ 1, define an element of W as follows: σ for i = 1 wi := (wi−1 , . . . , wi−1 ) for i ≥ 2. Let N (E) and N (U ) denote the normalizer of E and U in W respectively. Remember that we denote the restriction of N (E) and N (U ) to level n by N (E)n and N (U )n . Lemma 5.4. (1) For k ≥ 1, the automorphism wk has order 2. (2) For k ≥ 1, the automorphism wk is in N (E)\E (resp., N (U )\U ). Proof. The first part follows by induction on k using the equality wk2 = We prove the second part by induction on k as well. Let k = 1 and let g = (g1 , . . . , gd )τ ∈ W . We compute 2 2 , . . . , wk−1 ). (wk−1
w1 gw1−1 = σ(g1 , . . . , gd )τ σ −1 = (g2 , g1 , g3 , . . . , gd )στ σ −1 . Assume g is in E (resp., in U ), then each gi are in E (resp., in U ). Since the sign of a permutation is invariant under conjugation and gi ∈ E (rep., ∈ U ), we have w1 gw1−1 ∈ E (resp., ∈ U ). This proves that w1 is in N (E) (resp., in N (U )). Assume wk−1 is in N (E) (resp., in N (U )). Then −1 −1 wk gwk−1 = (wk−1 , . . . , wk−1 )(g1 , . . . , gd )τ (wk−1 , . . . wk−1 ) −1 −1 , . . . , wk−1 gd wk−1 )τ. = (wk−1 g1 wk−1 −1 By the induction hypothesis wk−1 gi wk−1 is in E (resp., in U ) for all i and −1 sgn2 (wk gwk ) = sgn2 (g) = 1, hence wk is in N (E). Since sgn2 (w1 ) = −1 (resp., sgn(σ) = 1 ), w1 is not in E (resp., not in U ) and similarly wk ∈ E (resp., ∈ U ) since w1 ∈ E (resp., ∈ U ).
Lemma 5.5. We have wi wj = wj wi for all i, j ≥ 1. Proof. We first observe that w1 commutes with wi for any i ≥ 1. This follows from the relations given in Equation (2.1). Assume wi and wj commute for all i, j ≤ n. Let i > 1. Then wi wn+1 = (wi−1 , . . . , wi−1 )(wn , . . . , wn ) = (wi−1 wn , . . . , wi−1 wn ). By our assumption wi−1 wn = wn wi−1 and hence wi wn+1 = wn+1 wi . Definition 5.6. (1) Let n ≥ 2. Define ϕn :
n−1 i=1
F2 → N (E)n /En such that
ϕ((k1 , . . . , kn−1 )) =
n−1 %
wi|Tn ki
(mod En )
i=1
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
¨ OZLEM EJDER
98
(2) Let n ≥ 1. Define φn :
n
F2 → N (U )n /Un such that
i=1
φ((k1 , . . . , kn )) =
n %
wi|Tn ki
(mod Un ).
i=1
Lemma 5.7. The map ϕn (resp., φn ) is a well defined homomorphism for any n ≥ 2 (resp., for any n ≥ 1). Proof. By Lemma 5.4(2), the order of wi is 2 for any i ≥ 1, hence the maps ϕn and φ are well-defined. By Lemma 5.5, they are both homomorphisms. Proposition 5.8. The homomorphism ϕn (resp., φn ) is injective for any n ≥ 2 (resp., for any n ≥ 1). k1 = id Proof. We will do induction on n to show that ϕn is injective. If w1 |T 2 k1 is in E2 . Since sgn2 (w1 ) = −1, we have k1 = 0 and hence ϕ2 (mod E2 ), then w1 |T 2 is injective. Similarly φ1 is injective since w1|T2 is not in U1 = Ad . Assume that ϕn (resp., φn ) is injective for some n ≥ 2 (resp., n ≥ 1). Let n ki = id (mod En+1 ). We compute that ϕn+1 (k1 , . . . , kn ) = i=1 wi |T n+1 n %
ki k1 wi |T = w1 |T n+1 n+1
i=1
n %
ki ki (wi−1 |T , . . . , wi−1 |T ) n n
i=2 n−1 %
k1 = w1 |T ( n+1
i=1
By Proposition 5.1,
n−1 i=1
k
wi |Ti+1 ,..., n
n−1 %
k
wi |Ti+1 ) ∈ En+1 n
i=1
k
wi |Ti+1 is in En . By the induction hypothesis ki+1 = 0 n
k1 . We are left to show that for all i = 1, . . . , n − 2 and ϕn+1 (k1 , . . . , kn ) = w1 |T n+1 k1 = 0. This follows since w1|Tn is not in En . Since Proposition 5.1 holds for both E and U , the proof for the injectivity of φn follows the same argument.
Corollary 5.9. Let kj ∈ F2 for 1 ≤ j ≤ n. If the product n kj j=1 wj ) is in En (resp., in Un ), then kj = 0 for all j.
n−1 j=1
wj kj (resp.,
Proposition 5.10. Let n ≥ 2. The homomorphism ϕn (resp., φn ) is surjective for any n ≥ 2 (resp., for any n ≥ 1). Proof. The surjectivity of ϕ2 follows from the fact that [W2 : E2 ] = 2 and that ϕ2 is injective. Similarly [W1 : U1 ] = 2 and φ1 is injective implies that φ1 is surjective. Assume ϕn is surjective. Let x = (x1 , . . . , xd )τ be in N (E) (resp. N (U )). If −1 is an even permutation τ|T1 is an even permutation, then τ is in E. Otherwise τ w|T 1 −1 and again τ w is in E. A similar argument works for U . Hence τ = w1 k (mod E) (resp., (mod U )) for some k ∈ F2 . So we may assume x = (x1 , . . . , xd ). By Proposition 5.1, xi |Tn is in N (E)n for all 1 ≤ i ≤ d. Since ϕn is surjective, we have n−1 k xi|Tn = j=1 wj |Ti,j gi for some ki,j ∈ F2 and gi ∈ En for all 1 ≤ i ≤ d. Hence n
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
ARITHMETIC MONODROMY GROUPS OF DYNAMICAL BELYI MAPS
99
x|Tn+1 is x|Tn+1 = ( =(
n−1 %
k
n−1 %
j=1
j=1
n−1 %
k
n−1 %
wj |T1,j ,..., n wj |T1,j ,..., n
j=1
k
wj |Td,j )(g1 , . . . , gd ) n k
wj |Td,j )w1 k|Tn+1 n
(mod En+1 )
j=1
for some k ∈ F2 . By Lemma 5.4, w1 k|Tn+1 ∈ N (E)n+1 and hence (
n−1 %
n−1 %
k
wj |T1,j ,..., n
j=1
k
wj |Td,j ) ∈ N (E)n+1 n
j=1
and by Proposition 5.1(2), we find that n−1 %
k
wj |T1,j n
−ki,j
j=1
is in En for all i. Hence by Corollary 5.9, k1,j = k2,j = . . . = kd,j for all 1 ≤ j ≤ n − 1. Let this number be kj for each j = 1, . . . , n − 1. Now we have x|Tn+1 = (
n−1 %
k
wj |Tjn , . . . ,
j=1
=
n−1 %
n−1 %
k
wj |Tjn )w1 k|Tn+1
(mod En+1 )
j=1 k
k
(wj |Tjn , . . . , wj |Tjn )w1 k|Tn+1
(mod En+1 )
j=1
= w1 k|Tn+1
n−1 %
k
wj+1 |Tjn+1
(mod En+1 )
j=1
Hence ϕn is surjective. The proof is same for φn since Proposition 5.1 and Lemma 5.4 holds for U as well. Corollary 5.11. Let N (E) denote the normalizer of E in W and let N (U ) denote the normalizer of U in W . Then ∞ % i=1
F2 → N (E)/E and
∞ %
F2 → N (U )/U
i
given by (k1 , . . . , ki , . . .) → w1k1 w2k2 . . . wnkn . . . is an isomorphism. 6. Arithmetic monodromy groups of dynamical Belyi maps In this section f denotes a dynamical Belyi map of combinatorial type C = / {(4; 3, 3, 3), (6; 4, 4, 5)}. To ease the notation we will drop f from (d; e1 , e2 , e3 ) ∈ the notation and denote Ggeom (f ) by G. Remember that G is either E or U (Definition 2.2) by Theorem 4.2. Now we are ready to prove the main theorem. Theorem 6.1. Let f be a dynamical Belyi map of combinatorial type C = / {(4; 3, 3, 3), (6; 4, 4, 5)}. The order of the quotient Garith (f )/Ggeom (f ) (d; e1 , e2 , e3 ) ∈ divides 2.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
¨ OZLEM EJDER
100
Proof. The idea of the proof comes from [Pin13a, Lemma 4.8.4]. Using (4.2), we have π1e´t (P1k \P, x0 )/π1e´t (P1k¯ \P, x0 ) → Garith /G. ¯ and that π1e´t (P1k \P, x0 )/π1e´t (P1k¯ \P, x0 ) is isomorphic to Gal(k/k). Using (4.6) and (4.7), we obtain the following diagram.
(6.1)
π1e´t (P1k \P, x0 )/π1e´t (P1k¯ \P, x0 )
Garith /G
Fk /Fk¯
Garith ∩ W d /G ∩ W d
π1e´t (P1k \P, x0 )/π1e´t (P1k¯ \P, x0 )
Garith /G
d ¯ The quotient Fk /Fk¯ is {(γ1 , . . . , γd ) ∈ i=1 Gal(k/k) : γ1 = . . . = γd }. Putting all of these discussions together, we obtain the diagram below.
(6.2)
¯ Gal(k/k)
Garith /G
¯ Gal(k/k)
Garith ∩ W d /G ∩ W d
¯ Gal(k/k)
Garith /G
Since G is a normal subgroup of Garith , the quotient Garith /G is a subgroup of N (G)/G which we studied in detail in Corollary 5.11. We first note that by Corollary 5.11, N (G)/G is isomorphic to a direct product of copies of F2 and hence the exact sequence 1 → N (G) ∩ W d /G ∩ W d → N (G)/G → w1|T1 → 1. splits with trivial action. Hence N (G)/G (N (G) ∩ W d /G ∩ W d ) × w1|T1 . We note that wi is in N (G) ∩ W d for all i ≥ 2. Therefore we have a projection map N (G)/G → N (G) ∩ W d /G ∩ W d ∞ ∞ sending the automorphism i=1 wiki (mod G) to i=2 wiki (mod G). Furthermore we can compose it with the projection of W d onto the first component. The composition of these two maps gives a homomorphism N (G)/G → N (G)/G that maps (6.3)
w1k1 w2k2 . . . = w1k1 (
∞ %
k
wi i+1 , . . . ,
i=1
∞ % i=1
k
wi i+1 ) →
∞ % i=1
since wi = (wi−1 , . . . , wi−1 ) for i ≥ 2.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
k
wi i+1
ARITHMETIC MONODROMY GROUPS OF DYNAMICAL BELYI MAPS
We can see these maps in the following diagram. (6.4) ¯ N (G)/G Gal(k/k) Garith /G
¯ Gal(k/k)
Garith ∩ W d /G ∩ W d
N (G) ∩ W d /G ∩ W d
Garith /G
N (G)/G
101
∞ i
∞ i
F2
F2
We obtain the left part of the diagram from (6.2). We define the vertical map on the right hand side as (k1 , k2 , . . .) → (k2 , k3 , . . .) so that the diagram commutes. ∞ ¯ Let w = i=1 wiki (mod G) be an element of Garith /G. Since Gal(k/k) → arith ¯ /G is surjective, there is a τ ∈ Gal(k/k) that maps to w. The image of τ in G the top row is (k1 , k2 , . . .) and in the bottom row (k2 , k3 , . . .). Since the diagram commutes, they are equal and k1 = k2 = . . . = kn for all n which shows that Garith /G is a subset of {(1, 1, 1, . . .), (0, 0, 0, . . .)}. Remark 6.2. In [BEK21, Lemma 2.4.3], a product discriminant D is defined. Moreover, it is shown that Garith = Ggeom if and only if D is a square in Q(t). One can generalize this to k(t) where k is a number field. By Theorem 6.1, we know that ¯ Gal(k/k) → Garith /G factors through a quadratic extension L of k. Furthermore, in [BEK21, Proposition 2.4.5], this discriminant D is explicitly calculated. From √ this we see that the quadratic extension L is given by k( u) where D = u(1 − t)2(e2 −1) t2(e1 −1) for a dynamical Belyi map of combinatorial type (d; e1 , e2 , e3 ). References [ABC+ 21] Faseeh Ahmad, Robert L. Benedetto, Jennifer Cain, Gregory Carroll, and Lily Fang, The arithmetic basilica: A quadratic pcf arboreal galois group, Journal of Number Theory (2021). [ABE+ 18] Jacqueline Anderson, Irene I. Bouw, Ozlem Ejder, Neslihan Girgin, Valentijn Karemaker, and Michelle Manes, Dynamical Belyi maps, Women in numbers Europe II, Assoc. Women Math. Ser., vol. 11, Springer, Cham, 2018, pp. 57–82, DOI 10.1007/9783-319-74998-3 5. MR3882706 ¨ [BEK21] Irene I. Bouw, Ozlem Ejder, and Valentijn Karemaker, Dynamical Belyi maps and arboreal Galois groups, Manuscripta Math. 165 (2021), no. 1-2, 1–34, DOI 10.1007/s00229-020-01204-3. MR4242559 [BFH+ 17] Robert L. Benedetto, Xander Faber, Benjamin Hutz, Jamie Juul, and Yu Yasufuku, A large arboreal Galois representation for a cubic postcritically finite polynomial, Res. Number Theory 3 (2017), Paper No. 29, 21, DOI 10.1007/s40993-017-0092-8. MR3736808 [JM14] Rafe Jones and Michelle Manes, Galois theory of quadratic rational functions, Comment. Math. Helv. 89 (2014), no. 1, 173–213, DOI 10.4171/CMH/316. MR3177912 [Jon13] Rafe Jones, Galois representations from pre-image trees: an arboreal survey (English, with English and French summaries), Actes de la Conf´erence “Th´ eorie des Nombres et Applications”, Publ. Math. Besan¸con Alg`ebre Th´ eorie Nr., vol. 2013, Presses Univ. Franche-Comt´ e, Besan¸con, 2013, pp. 107–136. MR3220023 [LO08] Fu Liu and Brian Osserman, The irreducibility of certain pure-cycle Hurwitz spaces, Amer. J. Math. 130 (2008), no. 6, 1687–1708, DOI 10.1353/ajm.0.0031. MR2464030 [Odo85] R. W. K. Odoni, The Galois theory of iterates and composites of polynomials, Proc. London Math. Soc. (3) 51 (1985), no. 3, 385–414, DOI 10.1112/plms/s3-51.3.385. MR805714
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
¨ OZLEM EJDER
102
[Pin13a] [Pin13b]
Richard Pink, Profinite iterated monodromy groups arising from quadratic morphisms with infinite postcritical orbits, Preprint, arXiv:1309.5804, 2013. Richard Pink, Profinite iterated monodromy groups arising from quadratic polynomials, Preprint, arXiv:1307.5678, 2013.
˘ azic Department of Mathematics, Bog ¸ i University, Istanbul Email address: [email protected]
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
Contemporary Mathematics Volume 779, 2022 https://doi.org/10.1090/conm/779/15672
Automorphisms and isogeny graphs of abelian varieties, with applications to the superspecial Richelot isogeny graph Enric Florit and Benjamin Smith Abstract. We investigate special structures due to automorphisms in isogeny graphs of principally polarized abelian varieties, and abelian surfaces in particular. We give theoretical and experimental results on the spectral and statistical properties of (2, 2)-isogeny graphs of superspecial abelian surfaces, including stationary distributions for random walks, bounds on eigenvalues and diameters, and a proof of the connectivity of the Jacobian subgraph of the (2, 2)-isogeny graph. Our results improve our understanding of the performance and security of some recently-proposed cryptosystems, and are also a concrete step towards a better understanding of general superspecial isogeny graphs in arbitrary dimension.
1. Introduction When studying the internal structure of isogeny classes of abelian varieties from an algorithmic point of view, we work with isogeny graphs: the vertices are isomorphism classes of abelian varieties, and the edges are isomorphism classes of isogenies, often of some fixed degree. For elliptic curves, these graphs have already had a wealth of applications. Mestre [32] used his m´ethode des graphes to compute a basis of the space S2 (N ) of modular forms of weight 2, level N , and trivial character. Kohel [27] used isogeny graphs to compute endomorphism rings of elliptic curves over finite fields, and Fouquet and Morain turned this around to improve point-counting algorithms for elliptic curves [17]. Br¨oker, Lauter, and Sutherland [8] developed an algorithm for computing modular polynomials using isogeny graph structures; Sutherland [41] has used the difference between the structures of ordinary and supersingular isogeny graphs to give a remarkable and efficient deterministic supersingularity test for elliptic curves. More recently, isogeny graphs have become a setting for post-quantum cryptographic algorithms, especially in the supersingular case. Charles, Goren, and Lauter proposed a cryptographic hash function with provable security properties based on 2020 Mathematics Subject Classification. Primary 14K02; Secondary 14G50, 14Q05, 11T99, 05C81. Key words and phrases. Superspecial abelian varieties, isogeny graphs, isogeny-based cryptography. The second author was supported in part by l’Agence nationale de la recherche (ANR) program CIAO ANR-19-CE48-0008. c 2022 Copyright by the authors
103
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
104
ENRIC FLORIT AND BENJAMIN SMITH
combinatorial properties of the supersingular elliptic 2-isogeny graph [12]. Rostovtsev and Stolbunov proposed a key exchange scheme based on ordinary isogeny graphs [38, 40]; this was vastly accelerated by Castryck, Lange, Martindale, Panny, and Renes by transposing it to a subgraph of the supersingular isogeny graph, where it is known as CSIDH [10]. Jao and De Feo’s SIDH key exchange algorithm [14,24], the basis of SIKE [2] (a third-round alternate candidate in the NIST post-quantum cryptography standardization process), is based on the difficulty of finding paths in the elliptic supersingular 2- and 3-isogeny graphs. These applications all depend, both in their constructions and in their security arguments, on a precise understanding of the combinatorial properties of supersingular isogeny graphs. It is natural to try to extend these applications to the setting of isogeny graphs of higher-dimensional principally polarized abelian varieties (PPAVs). First steps in this direction have been made by Charles, Goren, and Lauter [11], Takashima [42], Flynn and Ti [16], and Castryck, Decru, and Smith [9]. Costello and Smith have proposed an attack on cryptosystems based on the difficulty of computing isogenies between higher-dimensional superspecial abelian varieties [13]. But so far, the efficiency and security of these algorithms is conjectural—even speculative—because of a lack of information on combinatorial properties of supersingular isogeny graphs in higher dimension, such as their connectedness, their diameter, and their expansion constants. For example, the hash functions typically depend on the rapid convergence of random walks to the uniform distribution on the isogeny graph; but while this is well-known for the elliptic case, it is not yet well-understood even in g = 2. Indeed, even the connectedness of the superspecial graph for g = 2 has only recently been proven by Jordan and Zaytman [25]. Our ultimate aim is a deeper understanding of the combinatorial and spectral properties of the superspecial graph, such as its diameter and the limit distribution of random walks. In this article we give some theoretical results on general superspecial graphs, and experimental results focused on the Richelot isogeny graph: that is, the graph formed by (2, 2)-isogenies of 2-dimensional PPAVs. Richelot isogeny graphs are the most amenable to explicit computation (apart from elliptic graphs), and already exhibit a particularly rich structure. After recalling basic results in §2, we explore the impact of automorphisms of g-dimensional PPAVs on edge weights in the ( , . . . , )-isogeny graph for general g and in §3. Automorphisms are a complicating factor that can almost be ignored in elliptic isogeny graphs, since only two vertices (corresponding to j-invariants 0 and 1728) have automorphisms other than ±1. In higher dimensions, however, extra automorphisms are much more than an isolated corner-case: every general product PPAV A × B has an involution [1]A × [−1]B which may induce nontrivial weights in the isogeny graph, and entire families of simple PPAVs can come equipped with extra automorphisms, as we will see in §5 for dimension g = 2. The ratio principle proven in Lemma 3.2, which relates automorphism groups of ( , . . . , )-isogenous PPAVs with the weights of the directed edges between them in the isogeny graph, is an essential tool for our later investigations. We consider the spectral and statistical properties of isogeny graphs, still in the most general setting, in §4. Here we prove results which, combined with an understanding of the automorphism groups of vertices, allow us to state general theoretical bounds on eigenvalues, and compute stationary distributions for random
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
AUTOMORPHISMS AND SUPERSPECIAL RICHELOT ISOGENY GRAPHS
105
walks in the superspecial isogeny graph—and also in interesting subgraphs of the superspecial graph, such as the Jacobian subgraph. We then narrow our focus to the Richelot isogeny graph: that is, the case g = 2 and = 2. We recall Bolza’s classification of automorphism groups of genus2 Jacobians in §5, and apply it in the context of Richelot isogeny graphs (extending the results of Katsura and Takashima [26]). In §6 we specialize our general results to g = 2 and = 2, and give experimental data for diameters and second eigenvalues of superspecial Richelot isogeny graphs (and Jacobian subgraphs) for 17 ≤ p ≤ 601. This allows us to prove that the Jacobian subgraph of the Richelot isogeny graph is connected and aperiodic, and to bound its diameter relative to the diameter of the entire superspecial graph in §7. Our results have consequences for the security and efficiency arguments of the cryptographic algorithms described in [42], [16], [9], and [13]. For example, we can estimate the frequency with which elliptic products are encountered during random walks in the superspecial graph, which is essential for understanding the true efficiency of the attack in [13]; and we can understand the stationary distribution for random walks restricted to the Jacobian subgraph (which were used in [9]). These cryptographic implications are further discussed in §6. Our results also offer a concrete step towards a better understanding of the situation for general superspecial isogeny graphs—that is, in arbitrary dimension g, and with ( , . . . , )-isogenies for arbitrary primes . 2. Isogeny graphs Definition 2.1. Let A/k be a principally polarized abelian variety (PPAV) and a prime, not equal to the characteristic of k. A subgroup of A[ ] is Lagrangian if it is maximally isotropic with respect to the -Weil pairing. An ( , . . . , )-isogeny is an isogeny A → A of PPAVs whose kernel is a Lagrangian subgroup of A[ ]. If A is a g-dimensional PPAV, then every Lagrangian subgroup of A[ ] is necessarily isomorphic to (Z/ Z)g , though the converse does not hold. Since its kernel is Lagrangian, an ( , . . . , )-isogeny φ : A → A respects the principal polarizations: if λ and λ are the principal polarizations on A and A , respectively, then the pullback φ∗ (λ ) is equal to λ. Given another g-dimensional PPAV A , we say two Lagrangian subgroups K of A[ ] and K of A [ ] yield isomorphic isogenies φ and φ , if there are isomorphisms α : A → A and β : A/K → A/K respecting the principal polarizations, such that the following diagram commutes: A
α
φ
φ
A/K
/ A
β
/ A /K
In this case, the dual isogenies φ† and φ† are also isomorphic. Definition 2.2. Fix a positive integer g and a prime p. The ( , . . . , )-isogeny graph, denoted Γg ( ; p), is the directed weighted multigraph defined as follows. ¯ • The vertices are ( )isomorphism classes of PPAVs defined over Fp . If A is a PPAV, then A denotes the corresponding vertex.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
106
ENRIC FLORIT AND BENJAMIN SMITH
• The edges are isomorphism classes of ( , . . . , )-isogenies, weighted by the number( of) distinct kernels yielding isogenies in the class. The weight ( ) of an edge φ is denoted by w( φ ). ( ) ( ) ( ) ( ) If φ : A → A is an edge, then w( φ ) = n if and only if there are n Lagrangian subgroups K ⊂ A[ ] such that A ∼ = A/K (this definition is independent of the choice of representative isogeny φ). Equivalently, if there is an ( , . . . , )( ) isogeny φ : A → A , then w( φ ) is equal to the size of the orbit of ker φ under the action of Aut(A) on the set of Lagrangian subgroups of A[ ]. The isogeny graph breaks up into components; there are at least as many connected components as there are isogeny classes over k. We are particularly interested in the superspecial isogeny class. Definition 2.3. A PPAV A/Fp of dimension g is superspecial if its Hasse– Witt matrix vanishes identically. Equivalently, A is superspecial if it is isomorphic as an unpolarized abelian variety to a product of supersingular elliptic curves. For general facts and background on superspecial and supersingular abelian varieties, we refer to Li and Oort [29], and Brock’s thesis [6] (especially for g ≤ 3). Definition 2.4. The ( , . . . , )-isogeny graph of g-dimensional superspecial SS PPAVs over Fp is denoted by ΓSS g ( ; p). We often refer to Γg ( ; p) as the superspecial graph, with g, , and p implicit. The graph ΓSS g ( ; p) is regular (every vertex has the same weighted out-degree), and Jordan and Zaytman recently proved that ΓSS g ( ; p) is connected (see [25]; though this result was already implicit, in a different language, in [34, Lemma 7.9]). If an elliptic curve is supersingular, then it is isomorphic to a curve defined over Fp2 . Similarly, if A/Fp is superspecial, then A is isomorphic to a PPAV defined over Fp2 , so in our experiments involving superspecial graphs, we work over Fp2 for various p. 3. Isogenies and automorphisms Isogeny graphs are weighted directed graphs, and before going any further, we should pause to understand the weights. The weights of the edges are closely related to the automorphism groups of the vertices that they connect, as we shall see. Let A be a PPAV, let K be a Lagrangian subgroup of A[ ] for some , and let α be an automorphism of A. We write Kα for α(K). If Kα = K, then α induces an automorphism of A/K. Going further, if S is the stabiliser of K in Aut(A), then S induces an isomorphic subgroup S of Aut(A/K). Now suppose that Kα = K. If φ : A → A/K and φα : A → A/Kα are the quotient isogenies, then α induces an isomorphism α∗ : A/K → A/Kα such that α∗ ◦ φ = φ ◦ α. (Note that φ and φα are only defined up to isomorphism, but if we fix a choice of φ and φα , then α∗ is unique.) Let φα = α∗−1 ◦ φ . The isogenies φ kernels; thus, they both and φα have identical domains and codomains, but distinct ( ) represent the same edge in the isogeny graph, and w( φ ) > 1. Going further, if OK is the orbit of( K ) under Aut(A), ( ) then there are #OK distinct kernels of isogenies representing φ : that is, w( φ ) = #OK . Looking at the dual isogenies, we see that α−1 ◦ (φα )† ◦ φ = [ ]A , so φ† and † φα have the same kernel. ( ) Hence, while automorphisms of A may lead to increased ( ) weight on the edge φ , they have no effect on the weight of the dual edge φ† .
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
AUTOMORPHISMS AND SUPERSPECIAL RICHELOT ISOGENY GRAPHS
107
Every PPAV has a nontrivial involution [−1], but [−1] fixes every kernel and commutes with every isogeny. It therefore has no impact on edges or weights in the isogeny graph, so can simplify our analysis by quotienting it away. Indeed, since [−1] is contained in the centre of Aut(A), the quotient Aut(A)/[−1] acts on the set of Lagrangian subgroups of A[ ]. This is crucial in what follows. Definition 3.1. If A is a PPAV, then its reduced automorphism group1 is RA(A) := Aut(A)/[−1]. Lemma 3.2. Let φ : A → A be an ( , . . . , )-isogeny, and let S be the stabiliser of ker(φ) in RA(A). (1) The isogeny φ induces a subgroup S of RA(A ) isomorphic to S, and S is the stabiliser of ker φ† in RA(A ). (2) If s := #S (so s = #S ), then in the ( , . . . , )-isogeny graph we have ( ) ( ) w( φ ) = #RA(A)/s and w( φ† ) = #RA(A )/s. In particular, (3.1)
( ) ( ) #RA(A) · w( φ† ) = #RA(A ) · w( φ ).
Proof. Let K := ker(φ) be the kernel of φ. As discussed above, each α in Aut(A) induces an isomorphism α∗ : A → A/α(K), and if α stabilises K, then α∗ is an automorphism of A . As α stabilises A[ ], this gives an inclusion of S into the stabiliser of ker φ† . The reverse inclusion comes from the symmetric argument on the dual. The second statement follows from the orbit-stabiliser theorem. Note we only need to consider the action by reduced automorphisms, as [−1] acts trivially on all subgroups of A. To understand the isogeny graph, then, we need to understand the reduced automorphism groups of its vertices. A generic PPAV A has Aut(A) = [−1], so RA(A) = 1. The simplest examples of nontrivial reduced automorphism groups are the elliptic curves with j-invariants 0 and 1728. Moving into higher dimensions, nontrivial reduced automorphism groups are much more common: for example, if A = E × E is a product of elliptic curves, then [1]E × [−1]E is a nontrivial involution in RA(E × E ). We will see many more examples of nontrivial reduced automorphism groups below. Example 3.3. Consider the graph ΓSS 2 (2; 11), shown in Figure 1. It has five vertices: ( ) ( ) • (A1 ) = (J (C1 )), for C1 : y 2 = x6 − 1, with RA(A1 ) = D2×6 . J (C2 ) , for C2 : y 2 = (x3 − 1)(x3 − 3), with RA(A2 ) = S3 . • (A2 = ) 2 2 : y 2 = x3 − x, and #RA(E1728 ) = 16. • (E1728 ) , where E1728 2 2 3 2 E0 : y ) = x − 1, and #RA(E0 ) = 36. • (E0) , where ( • Π = E0 × E1728 , with #RA(Π) = 12. 1 Reduced automorphism groups are usually defined for hyperelliptic curves, not abelian varieties, but if A = J (C) is the Jacobian of a hyperelliptic curve and ι is the hyperelliptic involution, then RA(J (C)) is canonically isomorphic to RA(C) = Aut(C)/ι; so our definition is consistent for hyperelliptic Jacobians.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
108
ENRIC FLORIT AND BENJAMIN SMITH
The weights indicated in the figure indeed satisfy Equation (3.1). For instance, 2 → E02 (up to isomorphism), and there is a unique (2, 2)-isogeny φ : E1728 ( ) 2 w( φ ) 4 16 #RA(E1728 ) ( ) = = = . 2 † 9 36 #RA(E0 ) w( φ ) 3
3
2
1
A1
A2
3
6
4
9
3 1
4
3
2 E1728
E02
6 3 6
3
4
6
.2Π 3
Figure 1. The graph ΓSS 2 (2; 11), with isogeny weights. 4. Random walks Let G = (V, E, w) be a directed weighted multigraph with finite vertex set V . The weight of an edge e is denoted by w(e) > 0. Given subsets S, T ⊂ V , we denote the multiset of edges from S to T by E(S, T ), omitting the curly braces when S or T is a singleton {u}. For each pair of vertices u, v ∈ V we write wuv = e∈E(u,v) w(e), and for each vertex u ∈ V we have deg u = e∈E(u,V ) w(e). The set of neighbors of a vertex u ∈ V (that is, the set of vertices v such that E(u, v) = ∅) is denoted N (u). We define a random walk on G with starting vertex v0 ∈ V in the usual way: for each natural t ≥ 0 and pair of vertices u, v ∈ V , we have wuv , P (vt+1 = v | vt = u) = deg u with the remark that this probability is zero whenever E(u, v) = ∅. The random wuv walk transition matrix is the matrix M given by Mv,u = deg u. If G is a strongly connected aperiodic graph, then the Perron–Frobenius Theorem tells us there is a unique positive vector ϕ = (ϕ(u))u∈V with ϕ1 = 1 such that M ϕ = ϕ (see [28, Proposition 1.14 and Theorem 4.9]). This vector ϕ is called the stationary distribution of G. Moreover, for any starting distribution ψ on the vertices of G, we have limn→∞ M n ψ = ϕ.2 When G is an undirected graph, the stationary distribution is the vector ϕ where deg u for u ∈ V ; ϕ(u) = 2|E| we see immediately that this is indeed the stationary distribution, because deg u 1 deg v ϕ(u) = = . 2|E| deg v 2|E| v∈N (u)
2 If we drop the connectivity hypothesis, then ϕ is neither positive nor unique. Meanwhile, a periodic graph will still have a stationary distribution, but convergence to it is not granted.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
AUTOMORPHISMS AND SUPERSPECIAL RICHELOT ISOGENY GRAPHS
109
However, when G is a directed graph, there is no closed-form formula for the stau∈V ϕ(u) tionary distribution of the random walk. Even the principal ratio max minu∈V ϕ(u) of the distribution can be difficult to bound, and it can be exponentially large even when degree bounds such as δ ≤ deg u ≤ Δ, for all u ∈ V , are known [1]. 4.1. Directed graphs and linear imbalance. The following definition tries to restrict the amount of allowed “directedness” in a graph, so that we are able to find closed-form stationary distributions for isogeny graphs. It applies directly to the graph ΓSS 2 (2; 11) displayed in Figure 1. Definition 4.1. Let G = (V, E, w) be a directed weighted graph. We say G has linear imbalance if there exists a vertex partition V = A1 · · · An and a bijection (·)†
E(u, v) → E(v, u) for each pair of adjacent vertices u, v ∈ V , such that (1) If u, v ∈ Ai , then for each e ∈ E(u, v), w(e) = w(e† ). (2) For each i = j there exists a rational number mij , such that if u ∈ Ai , v ∈ Aj , and e ∈ E(u, v), then w(e) = mij · w(e† ). In particular mji = m−1 ij , and we can set mii = 1. We can see G as an undirected graph if we forget the weights, due to the (·)†
existence of the bijections E(u, v) → E(v, u). However, the presence of weights changes the definition of the random walk on G, and in particular the stationary distribution will be different. We now want to compute this distribution. Proposition 4.2. Let G = (V, E) be a linear imbalance graph with partition V = A1 · · · An . Assume all vertices of each given class Ai have the same degree di , i.e., deg(u) = di for all u ∈ Ai . Suppose there exists a non-zero solution (α1 , . . . , αn ) to the system of equations 1 mji αj = αi for every i, j such that E(Ai , Aj ) = ∅. (4.1) dj di Define the vectors ϕ˜ = (ϕ(u)) ˜ ˜ = αi if u ∈ Ai , and ϕ = ϕ/ ˜ ϕ ˜ 1. u∈V by ϕ(u) The vector ϕ is a stationary distribution for the random walk on G. Moreover, the random walk on G is a reversible Markov chain. Proof. We need to check that ϕ(u) ˜ =
v∈N (u), e∈E(u,v)
w(e† ) ϕ(v). ˜ deg v
Say u ∈ Ai , and label its neighbors v1 , . . . , vtu (inside the classes Aj1 , . . . , Ajtu ). Then the previous equation becomes ϕ(u) ˜ =
u w(e† ) mjk i wuvk ϕ(v) ˜ = ϕ(v ˜ k ). deg v djk
t
v∈N (u), e∈E(u,v)
k=1
Substituting the values of ϕ(u) ˜ and ϕ(v ˜ k ), we get the equation αi =
tu mjk i wuvk αjk . djk k=1
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
110
ENRIC FLORIT AND BENJAMIN SMITH
Using Equations (4.1), we get αi =
tu wuv
k
k=1
di
αi =
tu
wuvk
k=1
1 αi , di
which is trivially true. We say a Markov chain is reversible if, for all states u, v, we have ϕ(u)P (u, v) = ϕ(v)P (v, u) where P (u, v) is the probability of walking from u to v. In our case, this equation becomes wuv wvu αi = αj di dj whenever u ∈ Ai , v ∈ Aj , which is always satisfied (after dividing both sides by wvu ). This proves the reversibility of the chain. n Proposition 4.2 imposes a total of 2 equations, which may or may not yield a solution. However, we can reduce the number of necessary equations if the graph is connected and has composable linear imbalance. Definition 4.3. Let G and Ai be as above. Construct an undirected graph G = (V, E) with vertices V = {a1 , . . . , an } and with edges E = {{ai , aj } | E(Ai , Aj ) = ∅}. We say G has composable linear imbalance3 if for any two neighboring vertices ai , aj and for any path in G (with distinct edges and vertices) ai = ai0 → ai1 → · · · → aik = aj from ai to aj we have mji = mjik−1 mik−1 ik−2 · · · mi1 i . Every undirected graph has composable linear imbalance by defining any partition on its set of vertices. Or, alternatively, a linear imbalance graph is undirected if and only if mij = 1 for all i, j. Lemma 4.4. Let G = (V, E) be a connected graph satisfying the same conditions as in Proposition 4.2. If G has composable linear imbalance, then the set of equations mji 1 (4.2) αj = αi dj di can be reduced to a set of n − 1 equations, where n is the number of classes in the vertex partition of G. Proof. Recall V = A1 · · · An , and let G be the graph associated to this partition. Let T be any spanning tree of G. m Consider the system of n − 1 equations djji αj = d1i αi whenever {ai , aj } is an edge in T . We claim this system is equivalent to the full system. Indeed, for any two vertices ai , aj ∈ T such that E(Ai , Aj ) = ∅, let a i = a i0 → a i1 → · · · → a ik = a j be a path in T from ai to aj . Using the newly defined system, we get the equation mjik−1 mik−1 ik−2 · · · mi1 i 1 αi = αj , di dj 3 This is also known in the Markov chain literature as the Kolmogorov criterion, and it characterises chain reversibility. We use this term as it provides more meaning to our setting.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
AUTOMORPHISMS AND SUPERSPECIAL RICHELOT ISOGENY GRAPHS
which by composability gives us the desired equation
1 di αi
=
mji dj αj .
111
Example 4.5. (1) This result can be illustrated by computing the stationary distribution for the random walk over ΓSS 1 ( ; p) with p ≡ 11 (mod 12) (the other possibilities for p are special cases of this). We partition the set of vertices V into three sets, A0 = V \ {E0 , E1728 }, A1 = {E0 }, and A2 = {E1728 }. This partition gives the graph composable linear imbalance, with m01 = 3, m02 = 2, and m12 = 2/3. The graph G is a triangle,4 which imposes three linear equations in three variables, but we get a spanning tree T by removing any edge. For instance, we get the equations 3 1 α0 = α1 +1 +1
and
1 2 α0 = α2 +1 +1
which are satisfied by (α0 , α1 , α2 ) = (1, 1/3, 1/2). (2) The same procedure can be applied to the graph ΓSS 2 (2; 11) displayed in Figure 1. We have a disjoint partition in five one-vertex sets, and the multipliers mij between them are given by ratios of sizes of automorphism groups. By the same procedure as above, the stationary distribution is given by the vector 1 1 1 1 1 144 2 · , , , , , αE02 , αΠ ) = (αA1 , αA2 , αE1728 . 121 12 6 16 36 12 Corollary 4.6. Let G = (V, E) be a connected linear imbalance graph with a vertex partition V = A1 · · · An . Suppose that for each 1 ≤ i ≤ n there exists a positive real number gi such that for all i, j, mij = ggji . Then G has composable linear imbalance, and it has stationary distribution ϕ = ϕ/ ˜ ϕ ˜ 1 , where ϕ(u) ˜ =
di deg(u) = gi gi
whenever
u ∈ Ai .
Proof. The fact that G has composable linear imbalance is trivial from the m equalities mij = ggji . From Lemma 4.4, the equations djji αj = d1i αi are satisfied for g all i, j with E(Ai , Aj ) = ∅. But these equations correspond to djj αj = dgii αi which are trivially satisfied by setting αi = di /gi . We discuss now the mixing rate of a graph G satisfying the hypotheses of the last result. Let MG be the random walk matrix. We define an inner product on R|V (G)| , denoted by ·, ·ϕ , by f (u)g(u)ϕ(u). f, gϕ = u∈V (G)
Lemma 4.7 ([28, Lemma 12.2]). The reversible property of the random walk on G implies: (1) The inner product space (R|V (G)| , ·, ·ϕ ) has an orthonormal basis {fj : 1 ≤ j ≤ |V (G)|} of real-valued left eigenvectors of MG , corresponding to real eigenvalues {λj : 1 ≤ j ≤ |V (G)|}. 4 It
is actually a tree in many cases, but the computation is the same.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
112
ENRIC FLORIT AND BENJAMIN SMITH
(2) Given a random walk u = u0 → · · · → un → · · · , for all v ∈ V (G) we have |V (G)| Pr [un = v] =1+ fj (u)fj (v)λnj . ϕ(v) j=2
(4.3)
In particular, if the graph G is connected and aperiodic, then we know 1 = λ1 > λ2 ≥ · · · ≥ λ|V (G)| > −1. Letting λ (G) = max{|λ| | λ is an eigenvalue of MG , λ = 1}, we have the following result bounding the mixing rate of the random walk. Proposition 4.8. Consider a random walk u = u0 → · · · → un → · · · , and let v ∈ V (G) be any vertex. If u ∈ Ai and v ∈ Aj , we have * deg(v) gi . |Pr [un = v] − ϕ(v)| ≤ λ (G)n deg(u) gj Proof. We adapt the proof of [28, Theorem 12.4]. Using Eq. (4.3) and the Cauchy–Schwarz inequality we get |V (G)| Pr [un = v] ≤ |fj (u)fj (v)|λ (G)n − 1 ϕ(v) j=2 ⎛ ⎞1/2 |V (G)| |V (G)| ≤ λ (G)n ⎝ fj2 (u) fj2 (v)⎠ . j=2
Let δw be the function
δw (u) =
j=2
1 if w = u, 0 if w = u.
This function can be written in the following way, using the orthonormal basis of |V (G)| functions {fj }j=1 : |V (G)|
δw =
|V (G)|
δw , fj ϕ fj =
j=1
From this we obtain ϕ(w) = δw , δw ϕ =
fj (w)ϕ(w)fj .
j=1
+|V (G)|
,
|V (G)|
fj (w)ϕ(w)fj ,
j=1
fj (w)ϕ(w)fj
j=1
ϕ
|V (G)|
= ϕ(w)2
fj2 (w),
j=1
|V (G)|
which implies equality we get
j=2
fj2 (w) < ϕ(w)−1 . Combining this with the first stated in*
| Pr [un = v] − ϕ(v)| ≤ λ (G)n
ϕ(v) ; ϕ(u)
the result follows on substituting the values of ϕ obtained in Corollary 4.6.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
AUTOMORPHISMS AND SUPERSPECIAL RICHELOT ISOGENY GRAPHS
113
Proposition 4.8 is the analog of classical results on random walk mixing in undirected graphs: [30, Theorem 5.1] for the general case, [21, Theorem 3.3] for regular graphs, and [31] and [18, Theorem 1] for supersingular isogeny graphs. 4.2. Isogeny graphs as linear imbalance graphs. Our results so far allow us to give the stationary distribution and convergence rate for superspecial isogeny graphs. But we can state a much more general result, and apply the same theory to interesting isogeny subgraphs. Theorem 4.9. Let (G )be a finite, connected( and ) aperiodic subgraph of Γg ( ; p), such that for each edge φ in G, its dual edge φ† is also in G. (1) The stationary distribution of the random walk in G is given by ϕG = ϕ˜G /ϕ˜G 1 , deg(A) , ϕ˜G (A) = #RA(A) where deg(A) denotes the number of isogenies in G with domain A. (2) The mixing rate is λ (G). More precisely, if A0 → · · · → An → · · · is a random walk, and A is any vertex of G, then the convergence to the stationary distribution is given by * deg A #RA(A0 ) n ∼ A] − ϕG (A)| ≤ λ (G) . (4.4) | Pr[An = deg A0 #RA(A) Proof. For Part (1): Lemma 3.2 tells us that G has linear imbalance, by partitioning its set of vertices according to the reduced automorphism group of each variety. Indeed, for any two neighbouring PPAVs A and A in Γg ( ; p), we have #RA(A) wA,A . = wA ,A #RA(A ) We can refine this partition further so that all nodes in a single class have the same degree. This way, all hypotheses of Proposition 4.2 and Corollary 4.6 are satisfied, yielding the stated distribution. Part (2) then follows from Proposition 4.8. Theorem 4.9 is true for all superspecial isogeny graphs ΓSS g ( ; p), as they are connected and non-bipartite [25, Corollary 18] and hence aperiodic. In fact, we can always produce a loop if g is even: if φ : E → E is an elliptic -isogeny, then the product ( , . . . , )-isogeny (4.5)
φ×φ† ×···×φ×φ†
(E × E )g/2 −−−−−−−−−−→ (E × E )g/2
is a loop in ΓSS g ( ; p). If g is odd, we let ψ1 : E → E, ψ2 : E → E be two elliptic curve isogenies of respective degrees e and f with e and f coprime (this exists, since ΓSS 1 ( ; p) is non-bipartite [25, Corollary 18] and so aperiodic). Then, by constructing the previous isogeny φ × φ† × · · · × φ × φ† in genus g − 1, we get two isogenies (φ × φ† )e × · · · × (φ × φ† )e × ψ1 , (φ × φ† )f × · · · × (φ × φ† )f × ψ2 , where exponentiation means composition (φ × φ† is an endomorphism of E × E ), representing two cycles of coprime lengths e and f in ΓSS g ( ; p).
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
114
ENRIC FLORIT AND BENJAMIN SMITH
4.3. Bounds on eigenvalues. If we fix g and , and we have a constant λ = λ(g, ) < 1 such that λ (ΓSS g ( ; p)) ≤ λ for all p, then we get a family of graphs with good expansion properties.5 Combining this with Equation (4.4), we conclude that the diameter of each graph is O(log p), a property that also holds for regular expander graphs. Given a d-regular undirected graph G√with λ (G) as second largest eigenvalue (in absolute value), we have d · λ (G) ≥ 2 d − 1 − on (1). Here on (1) is a quantity that tends to√zero for fixed d when the number of vertices n goes to infinity. If d · λ (G) ≤ 2 d − 1, then G is said to be Ramanujan [21]. Ramanujan graphs have optimal expansion properties. Isogeny graphs of supersingular elliptic curves are Ramanujan [35], and it was hoped that this property would extend to the more general graphs ΓSS g ( ; p) [13, Hypothesis 1]. We have shown ΓSS g ( ; p) does not fit into the definition of an expander graph for g ≥ 2, due to the presence of non-trivial reduced automorphism groups. However, we may still ask for bounds on λ (ΓSS g ( ; p)), as a Ramanujan property of sorts. Now, letting Ng ( ) be the out-degree of the vertices in ΓSS g ( ; p), we ask a question: for which g, and p, if any, does the bound ( ; p)) ≤ 2 Ng ( ) − 1 Ng ( ) · λ (ΓSS g hold? not Jordan and Zaytman [25] have given a first counterexample: ΓSS 2 (2; 11) is √ Ramanujan, as the second largest eigenvalue of the adjacency matrix is 7 + 3, √ which is larger than 2 N2 (2) − 1 = 2 15 − 1. We have gathered evidence that the same behaviour also occurs for (at least) all graphs ΓSS 2 (2; p) for primes 11 ≤ p ≤ 601. For all these primes, the superspecial Richelot isogeny graph fails to be Ramanujan, and in fact most values of λ (except for a few small primes) are very close to 11.5/15. Giving a theoretical reason for this behaviour is left as future work. The eigenvalues and diameters of each graph can be found in Appendix A. In Section 7 we prove that both the subgraph of Jacobians and the subgraph of elliptic products satisfy the hypotheses to have convergence to a stationary distribution, and so our data also includes their eigenvalues and diameters. We now refine the previously stated conjectures on superspecial graphs. Conjecture 4.10. For all g and , there exists a fixed λ = λ(g, ) < 1 such that λ (ΓSS g ( ; p)) ≤ λ
for every prime p ≥ 5.
In the case g = 2 and = 2, we conjecture that 11 12 ≤ λ (ΓSS for every prime p ≥ 41. 2 (2; p)) ≤ 15 15 5. The Richelot isogeny graph From now on, we focus on the case g = 2 and = 2. Richelot [36, 37] gave the first explicit construction for (2, 2)-isogenies, so the (2, 2)-isogeny graph of principally polarized abelian surfaces (PPASes) is called the Richelot isogeny graph. 5 Note that they should not be called expander graphs: this term is reserved for regular undirected graphs.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
AUTOMORPHISMS AND SUPERSPECIAL RICHELOT ISOGENY GRAPHS
115
Let A0 be a PPAS with full rational 2-torsion. There are 15 rational Lagrangian subgroups K1 , . . . , K15 of A0 [2], and each is the kernel of a rational (2, 2)-isogeny φi : A0 → Ai := A0 /Ki . This means that every vertex in the (2, 2)-isogeny graph has out-degree 15. In general, none of the isogenies or codomains are isomorphic. The algorithmic construction of the isogenies and codomains depends fundamentally on whether A0 is a Jacobian or an elliptic product. We recall the Jacobian case in §B.1, and the elliptic product case in §B.2. Before going further, we recall the explicit classification of (reduced) automorphism groups of PPASes. In contrast with elliptic curves, where (up to isomorphism) only two curves have nontrivial reduced automorphism group, with PPASes we see much richer structures involving many more vertices in Γ2 (2; p). 5.1. Jacobians of genus-2 curves. Bolza [3] has shown that there are seven possible reduced automorphism groups for Jacobian surfaces (provided p > 5). Figure 2 gives Bolza’s taxonomy, defining names (“types”) for each of the reduced automorphism groups. Type-A: 1
dim = 3 dim = 2 dim = 1 dim = 0
Type-I: C2 Type-III: C22
Type-IV: S3
Type-V: D2×6
Type-VI: S4
Type-II: C5
Figure 2. The taxonomy of reduced automorphism groups for genus-2 Jacobians. Dimensions on the left are of the loci on each level in the 3-dimensional moduli space of PPASes. Lines connect sub-types and super-types; specialization moves down the page. We can identify the isomorphism class of a Jacobian J (C) using the Clebsch invariants A, B, C, D of C, which are homogeneous polynomials of degree 2, 4, 6, and 10 in the coefficients of the sextic defining C. Detailed formulæ appear in §B.3. 5.2. Products of elliptic curves. Elliptic products always have nontrivial reduced automorphism groups, because RA(E × E ) always contains the involution σ := [1]E × [−1]E . Note that σ fixes every Lagrangian subgroup of (E × E )[2] (though this is not true for (E × E )[ ] if > 2), so σ always has an impact on the Richelot isogeny graph. Proposition 5.1 shows that there are seven possible reduced automorphism groups for elliptic product surfaces (provided p > 3), and Figure 3 gives a taxonomy of reduced automorphism groups analogous to that of Figure 2. We identify the isomorphism class of an elliptic product E × E using the j-invariants j(E) and j(E ) (an unordered pair when E ∼ E , and a single j-invariant when E ∼ = E ). =
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
116
ENRIC FLORIT AND BENJAMIN SMITH
Proposition 5.1. If A is an elliptic product surface, then (provided p > 3) there are seven possibilities for the isomorphism type of RA(A). (1) If A ∼ E , then one of the following holds: = E × E for some E ∼ = • Type-Π: {j(E), j(E )} ∩ {0, 1728} = ∅, and RA(A) ∼ = C2 . • Type-Π0 : j(E) = 0 or j(E ) = 0, and RA(A) ∼ = C6 . • Type-Π123 : j(E) = 1728 or j(E ) = 1728, and RA(A) ∼ = C4 . • Type-Π0,123 : {j(E), j(E )} = {0, 1728}, and RA(A) ∼ = C12 . (2) If A ∼ = E 2 for some E, then one of the following holds: • Type-Σ: j(E) ∈ / {0, 1728}, and RA(A) ∼ = C22 . ∼ • Type-Σ0 : j(E) = 0, and RA(A) = C6 × S3 . • Type-Σ123 : j(E) = 1728, and RA(A) ∼ = C22 C4 . Proof. Recall that if E is an elliptic curve, then: if j(E) = 0 then Aut(E) = ρ ∼ = C4 ; and otherwise Aut(E) = [−1] ∼ = = C6 ; if j(E) = 1728 then Aut(E) = ι ∼ C2 . For Part (1): if E ∼ = Aut(E) × Aut(E ). If Aut(E) = α = E , then Aut(E × E ) ∼ and Aut(E ) = β, then Aut(E × E ) = α × [1], [1] × β. Notice that β d = [−1] for d = 1, 2 or 3, so if j(E) ∈ / {0, 1728}, then RA(E × E ) ∼ = Aut(E ), which proves the first three cases. For the remaining Type-Π0,123 case, the automorphism [ρ] × [ι] has exact order 12, proving RA(E × E ) ∼ = C12 . For Part (2): in this case Aut(E 2 ) certainly contains Aut(E)2 as a subgroup, but we also have the involution τ : (P, Q) → (Q, P ). The existence of τ makes Aut(E 2 ) non-abelian, because (β ×γ)◦τ = τ ◦(γ ×β) for any β, γ ∈ Aut(E). If Aut(E) = α, then Aut(E 2 ) = α × [1], [1] × α, τ is the wreath product Aut(E) τ , i.e., the semidirect product (Aut(E) × Aut(E)) τ . More explicitly: if Aut(E) = α, then Aut(E 2 ) ∼ = a, b, τ | ad = bd = τ 2 = 1, ab = ba, aτ = τ b, where a = α × [1], b = [1] × α, and d ∈ {2, 4, 6} is the order of α. Taking the quotient by [−1]E 2 , we identify the reduced automorphism groups using GAP’s IdGroup [19]. Type-Π: C2
dim = 2 dim = 1
Type-Π0 : C6
Type-Σ: C22
Type-Π123 : C4
dim = 0
Type-Σ0 : C6 × S3
Type-Π0,123 : C12
Type-Σ123 : C22 C4
Figure 3. The taxonomy of reduced automorphism groups of elliptic products. Dimensions on the left are of the loci on each level in the 3-dimensional moduli space of PPASes. Lines connect sub-types and super-types; specialization moves down the page. 5.3. Implications for isogeny graphs. The vertices in Γg ( ; p) corresponding to PPAVs with nontrivial reduced automorphism groups form interesting and inter-related structures. We highlight a few of these facts for g = 2 and ( = 2. ) Katsura and Takashima observe that if we take a Jacobian vertex J (C) in ( ) Γ2 (2; p), then the number of elliptic-product neighbours of J (C) is equal to the
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
AUTOMORPHISMS AND SUPERSPECIAL RICHELOT ISOGENY GRAPHS
117
number of involutions α in RA(J (C)) induced by involutions in Aut(J (C)) (see [26, Proposition 6.1]). In particular: general Type-A vertices and the unique TypeII vertex have no elliptic product neighbours; Type-I and Type-IV vertices, and the unique Type-VI vertex, have one elliptic product neighbour; and the Type-III vertices and the unique Type-V vertex have two elliptic-square neighbours. By explicit computation of Richelot isogenies we can (slightly) extend Katsura and Takashima’s results to give the complete description of weighted edges with codomain types for each of the vertex types in Table 1. The inter-relation of reduced automorphism groups and neighbourhoods of vertices and edges in the Richelot isogeny graph is further investigated (and illustrated) in [15]. Table 1. Number of edges, weights, and types of neighbours for vertices in Γ2 (2; p) by reduced automorphism type. Observe that the edge numbers multiplied by their weights always sum to 15. Neighbour types may change under specialization (or for particular values of p), acquiring reduced automorphisms. See [15] for details. Vertex Type-A
#Edges 15 1 Type-I 6 4 Type-II 3 1 2 Type-III 4 1 1 Type-IV 3 3 1 1 Type-V 1 1 1 1 Type-VI 1 2
w 1 1 1 2 5 1 1 2 4 3 3 1 3 1 3 6 2 1 6 4
Vertex Neighbour Type-A Type-Π Type-Π Type-I Type-Π0 Type-A Type-A Type-Π123 (loop) Type-Σ Type-I Type-A Type-Π0,123 Type-Π Type-I Type-IV (loop) Type-Σ Type-Σ0 Type-Σ Type-I Type-Σ0 Type-IV (loop) Type-Σ Type-IV Type-Σ123
#Edges 9 6 3 2 3 3 3 1 1 1 1 3 3 1 3 1 1 1 1 1 1 1
w 1 1 3 3 1 2 2 3 6 6 1 2 1 2 1 3 9 3 3 4 4 4
Neighbour Type-Π Type-I Type-Π Type-I Type-Π123 Type-Π Type-I Type-Π123 Type-Π Type-I (loop) Type-Π Type-Σ Type-I Type-III (loop) Type-Σ Type-V (loop) Type-Σ Type-Π123 Type-III
Remark 5.2. Each Type-IV vertex has a triple edge to an elliptic-product neighbour. In fact, the factors of the product are always 3-isogenous (cf. [20, §3]). The unique Type-VI vertex is a specialization of Type-IV, and in this case the TypeΠ neighbour specializes to the square of an elliptic curve with j-invariant 8000 (which has an endomorphism of degree 3). The unique Type-V vertex is also a specialization of Type-IV, and in this case the Type-Π neighbour specializes to the square of an elliptic curve of j-invariant 54000 (which as an endomorphism of degree
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
118
ENRIC FLORIT AND BENJAMIN SMITH
3); one of the Type-IV neighbours degenerates to the square of an elliptic-curve with j-invariant 0, while the other two merge, yielding a weight-2 edge; and one of the Type-I neighbours specializes to the Type-V vertex, yielding a loop, while the other two merge, yielding a weight-6 edge. Remark 5.3. Every Type-III vertex (and the unique Type-V vertex) has two elliptic-square neighbours: these are the squares of a pair of 2-isogenous elliptic curves [20, §4]. In this way, Type-III vertices in Γ2 (2; p) correspond to undirected edges (i.e., edges modulo dualization of isogenies) in Γ1 (2; p). Ibukiyama, Katsura, and Oort have computed the precise number of superspecial genus-2 Jacobians (up to isomorphism) of each reduced automorphism type [23, Theorem 3.3]. We reproduce their results for p > 5 in Table 2, completing them with the number of superspecial elliptic products of each automorphism type (which can be easily derived from the well-known formula for the number of supersingular elliptic curves over Fp2 ). Table 2. The number of vertices in ΓSS 2 ( ; p) of each reduced automorphism type. Here 1,p = 1 if p ≡ 3 (mod 4), 0 otherwise; 2,p = 1 if p ≡ 5, 7 (mod 8), 0 otherwise; 3,p = 1 if p ≡ 2 (mod 3), 0 otherwise; 5,p = 1 if p ≡ 4 (mod 5), 0 otherwise; and Np = (p − 1)/12 − 1,p /2 − 3,p /3 is the number of supersingular elliptic curves over Fp2 with reduced automorphism group C2 . Type Vertices in ΓSS Type Vertices in ΓSS 2 (2; p) 2 (2; p) 1 1 (p − 1)(p − 17) Type-Π 2 Np (Np − 1) Type-I 48 + 14 1,p + 2,p + 3,p Type-Π0 3,p Np Type-II 5,p Type-Π123 1,p Np Type-III 32 Np + 12 1,p − 12 2,p − 12 3,p Type-Π0,123 1,p · 3,p Type-IV 2Np + 1,p − 2,p Type-Σ Np Type-V 3,p Type-Σ0 3,p Type-VI 2,p Type-Σ123 1,p 1 1 Type-A 2880 (p − 1)(p2 − 35p + 346) − 16 1,p − 14 2,p − 29 3,p − 15 5,p 6. Random walks in the superspecial Richelot isogeny graph We now specialize the results of §4 to the case g = 2, = 2, and consider some cryptographic applications. 6.1. Random walks. Given an isogeny graph G satisfying the hypotheses of Theorem 4.9, we let * degG A #RA(A0 ) KG = max . A,A0 degG A0 #RA(A) If we put G = ΓSS 2 (2; p) and consider the reduced automorphism groups in Proposition 5.1, then KG = 6. Together with Conjecture 4.10, this gives us precise constants for the convergence of the random walk distribution on the Richelot isogeny graph. We will say that a vector ψ ∈ R|V (G)| approximates the stationary distribution ϕ of the graph G with an error of ε > 0 if for each vertex u ∈ V (G),
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
AUTOMORPHISMS AND SUPERSPECIAL RICHELOT ISOGENY GRAPHS
119
|ψ(u) − ϕ(u)| ≤ ε. A random walk of length n approximates the stationary distribution with error ε if the distribution given by the walk at step n does so. Theorem 6.1. Assume Conjecture 4.10 for g = 2 and = 2: that is, assume 12 that λ (ΓSS 2 (2; p)) ≤ 15 for all p ≥ 41. A random walk of length n ≥ 4.5m log p + 1 9 approximates the stationary distribution on ΓSS 2 (2; p) with an error of pm . In particular, a random walk of length n ≥ 18 log p + 9 approximates the stationary distribution with an error of
1 p4 .
Proof. Set G = ΓSS 2 (2; p). Given a random walk A0 → · · · → An → · · · and a vertex A, then for all n we have * degG A #RA(A0 ) n ∼ A] − ϕG (A)| ≤ λ (G) ≤ 6λ (G)n . | Pr[An = degG A0 #RA(A) The inequality 6λ (G)n ≤
1 pm
is satisfied as long as n≥
m log p + log 6 . log(λ (G)−1 )
Since log 6/ log(15/12) ≤ 9 and 1/ log(15/12) ≤ 4.5, if n ≥ 4.5m log p + 9 then the above inequalities are satisfied. The particular case of m = 4 follows. 6.2. Distributions of subgraphs. If we perform a random walk on ΓSS 2 (2; p), we will encounter a certain number of products of elliptic curves along the way. We can try to predict the ratio of elliptic products to visited nodes: a first guess could be that this ratio matches the proportion of such nodes in the entire graph, which is asymptotic to 10 p (see [9, Proposition 2]). However, this is not the empirical proportion that we observe in our experiment, which consists in performing 10, 000 random walk steps in ΓSS 2 (2; p) and counting the number N of elliptic products encountered in our path. The ratio N/10, 000 of elliptic products to visited nodes is closer to p5 , as seen in Table 3. Table 3. Number of elliptic products encountered in a 10, 000step random walk for several primes. The third row shows the proportion scaled relative to each prime. 101 p N 415 Ratio 4.1915/p
307 201 6.1707/p
503 130 6.539/p
701 64 4.4864/p
907 50 4.535/p
1103 44 4.8532/p
Theorem 4.9, in combination with the classification of reduced automorphism groups in Proposition 5.1, gives us the true proportion of elliptic product nodes in p3 + O(p2 ) Jacobians with trivial reduced automorphism random walks. We have 2880 group (this is the picture for “almost all” nodes in the graph: only O(p2 ) have p2 nontrivial reduced automorphisms), and there are 288 + O(p) elliptic products. However, all but O(p) of those products have a reduced automorphism group of order 2, confirming that the (asymptotic) expected proportion of elliptic products 5 in a random walk is equal to 12 × 10 p = p . Similarly, we could compute proportions for each abelian surface type given in Section 5.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
120
ENRIC FLORIT AND BENJAMIN SMITH
If we combine this with the conjectured upper bound for λ (ΓSS 2 (2; p)), then we can give the interpretation that elliptic products are evenly distributed in the graph, in the sense that any node is within very few steps of an elliptic product (much less than diametral distance). 6.3. The superspecial isogeny problem in genus 2 and beyond. The general problem of constructing an isogeny between two superspecial g-dimensional PPAVs Ag and Ag over Fp2 was studied in [13]. The algorithm proceeds by computing isogenies φ : Ag → Ag−1 × E and φ : Ag → Ag−1 × E where Ag−1 and Ag−1 have dimension g − 1 and E and E are elliptic curves, before computing an elliptic isogeny E → E and (recursively) computing an isogeny Ag−1 → Ag−1 , then combining the results to produce an isogeny Ag → Ag . The key step is computing the isogenies φ and φ to product PPAVs. The expected complexity of this step is heuristic, and assumes that the isogeny graph of superspecial PPAVs has good expansion properties to ensure that O(p) isogeny walks of length O(log p) will result in a walk to a product variety with probability O(1). Of course, in practice one cannot simply take walks of length O(log p): we need a proper bound on the length of these walks (essentially, we need the constant hidden by the big O). Our results show if we admit Conjecture 4.10, then the expected complexity of the algorithm in [13] is rigorous for g = 2, and we can bound the required walk lengths using the claimed eigenvalue bounds as in Theorem 6.1. In particular, for g = 2 and = 2, it suffices to use walks of length 26 log2 (p) + 8. 6.4. Richelot isogeny hash functions. Recall the Richelot-isogeny hash function of [9], which is based on walks in ΓSS 2 (2; p). A binary representation of the data to be hashed is broken into a series of three-bit chunks; each of the eight possible three-bit values corresponds to the choice of a step in ΓSS 2 (2; p) such that the composition of the prior step with the current step is a (4, 4)-isogeny. The hash value is (derived from) the invariants of the final vertex in the walk. Our results show that finding an input m driving a walk into the induced E subgraph ΓSS 2 (2; p) on the elliptic product vertices would immediately yield collisions in the hash function. Indeed, looking at Table 1, we see that every vertex in E ΓSS 2 (2; p) has either outgoing edges with multiplicity greater than 1, or a Type-I neighbour with outgoing edges with multiplicity greater than 1. This means that there are multiple kernels, and thus multiple 3-bit input chunks, that produce steps E to the same neighbour; in this way, given a walk to ΓSS 2 (2; p) , with at most two further steps we can construct explicit hash collisions. Since the forward steps in these walks are restricted to a subset of eight of the fourteen possible onward edges at each vertex, the results in §4.3 do not apply directly here. Still, they give us reason to hope that these restricted random walks will approximate the uniform distribution on ΓSS 2 (2; p) very quickly. If adversaries E can compute walks into ΓSS (2; p) after an expected O(p) steps, as they can with 2 (2; p)E to construct hash colliunrestricted walks, then they can use walks into ΓSS 2 sions in an expected O(p) operations, which is exponentially fewer than the O(p3/2 ) required by generic attacks. 6.5. Genus 2 SIDH analogues. Our results also have constructive cryptographic applications. For example, consider the genus-2 SIDH analogue proposed by Flynn and Ti [16], a postquantum key exchange algorithm based on commuting SS random walks in ΓSS 2 (2; p) and Γ2 (3; p). The walks involved are very short—on
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
AUTOMORPHISMS AND SUPERSPECIAL RICHELOT ISOGENY GRAPHS
121
the order of 12 log2 p steps each—and much shorter than the bound of Theorem 6.1. Our results therefore imply that this genus-2 SIDH analogue is overwhelmingly E unlikely to encounter ΓSS 2 ( ; p) , provided the base vertex is chosen sensibly. 7. Connectivity and diameters We mentioned in §4 that Theorem 4.9 can be applied to study distributions in interesting isogeny subgraphs of the superspecial isogeny graph. Let us then distinguish three subgraphs of ΓSS g ( ; p), each taken to be the induced subgraph defined by its set of vertices: J • ΓSS g ( ; p) , the subgraph of Jacobians; P • ΓSS g ( ; p) , the subgraph of reducible PPAVs (product varieties); and SS • Γg ( ; p)E , the subgraph of products of elliptic curves. P E (Observe that ΓSS = ΓSS 2 ( ; p) 2 ( ; p) ). Understanding the connectivity of such subgraphs can be useful both when analysing the algorithms that work with them, and when studying the distribution of vertices in the full supersingular graph. P E and ΓSS are connected and Proposition 7.1. The graphs ΓSS g ( ; p) g ( ; p) aperiodic for all g, , and p. In particular, both graphs satisfy the hypotheses of Theorem 4.9. E is connected and aperiodic, since Proof. It is enough to see that ΓSS g ( ; p) SS P it is a subgraph of Γg ( ; p) and given a product variety we can find a product isogeny to an elliptic product by the connectivity of ΓSS g ( ; p). We obtain connecSS E tivity from the fact that Γg ( ; p) has a spanning subgraph which is a quotient of the tensor product of g copies of the supersingular isogeny graph ΓSS 1 ( ; p). Since SS ⊗g is connected ΓSS 1 ( ; p) is aperiodic, it contains an odd cycle and so (Γ1 ( ; p)) [45]. We have already proved aperiodicity, since in §4.2 we constructed loops and E paths of coprime lengths in ΓSS g ( ; p) .
Proposition 7.1 generalizes immediately to any connected component of the general graph Γg ( ; p) that contains elliptic products. Conjecture 2 of [9] proposes that the subgraph of the superspecial Richelot isogeny graph supported on the Jacobians is connected; Theorem 7.2 confirms and proves this conjecture. (We should be able to give a similar statement for the Jacobian subgraph even without the superspecial condition, but the technique that we use only allows us to prove it for the case g = 2, = 2.) J Theorem 7.2. The graph of Jacobians ΓSS 2 (2; p) is connected and aperiodic. In particular, it satisfies the hypotheses of Theorem 4.9. J Proof. To see ΓSS 2 (2; p) is connected, it is enough to check that the subgraph containing all Type-I Jacobians is connected. Indeed, any two Jacobians J1 and J2 are connected by a path in ΓSS 2 (2; p), and we only need to ensure that subpaths between Type-I Jacobians can be modified to avoid elliptic products. This is always possible by Lemma 7.3 below. The aperiodicity for primes p ≥ 13 comes from the fact that there are always Type-III Jacobians, which always have a (2, 2)-endomorphism. One checks easily J that ΓSS 2 (2; p) has at least one loop when p is 7 or 11. Indeed, ( ) for p = 7 the unique Type-VI vertex has a (2, 2)-endomorphism φ with weight w( φ ) = ( 9, ) while for p = 7 the unique Type-V vertex has a (2, 2)-endomorphism ψ with w( ψ ) = 3.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
122
ENRIC FLORIT AND BENJAMIN SMITH
( ) ( ) ( ) Lemma 7.3. Given a path J0 → E × E → A in Γ2 (2; p), where J0 is a Jacobian, E × E is an elliptic product, and A is any PPAS, there exists either: (1) A length-2 path ( ) ( ) ( ) J 0 → J1 → A , where J1 is a Jacobian, if the original path represents a (4, 2, 2)-isogeny, or (2) A length-4 path ( ) ( ) ( ) ( ) ( ) J0 → J1 → J2 → J3 → A , where each Ji is a Jacobian, if the original walk represents a (4, 4)-isogeny. Proof. Case 1. The original path represents a (4, 2, 2)-isogeny, φ. Up to isomorphism, φ factors into a composition of two (2, 2)-isogenies in 3 ways: • φ : J0 → E × E → A, • φ1 : J0 → A1 → A, and • φ2 : J0 → A2 → A. one nontrivial kernel point in common with The isogenies J0 → Ai each( have ) J0 → E × E . We know that J0 has at most two elliptic-product neighbours (see Table 1). Recall the language of quadratic splittings detailed in Appendix B.1: the Lagrangian subgroups of J0 [2] correspond to factorizations of f (x) into three coprime quadratics, where C0 : y 2 = f (x) is a sextic model for the genus-2 curve generating J0 , and the codomain of the corresponding (2, 2)-isogeny is an elliptic product precisely when the three quadratics are linearly dependent. After a coordinate transformation, we can suppose that J0 → E × E is a Richelot isogeny with ker(J0 → E × E ) = {x2 − a2 , x2 − b2 , x2 − c2 }. Relabelling (a, b, c) if necessary, we can assume the point common to ker(J0 → E × E ), ker(J0 → A1 ), and ker(J0 → A2 ) corresponds to x2 − a2 , and thus ker(J0 → A1 ) = {x2 − a2 , x2 − (b + c)x + bc, x2 + (b + c)x + bc} and ker(J0 → A2 ) = {x2 − a2 , x2 − (b − c)x − bc, x2 + (b − c)x − bc}. It is easy to check that the determinants of these two triples cannot both vanish unless the original curve is singular. Case 2. (The a (4, 4)-isogeny, φ. We can always choose ) original ( ) walk ( represents ) a neighbour J2 = J0 of E × E such that J0 → E × E → J2 and J2 → E × E → A both represent (4, 2, 2)-isogenies. Now apply Case 1 to each of these, eliminating E × E from the middle of each length-2 path, and compose the results. Remark 7.4. When (J0 )is Type-III ( ) or Type-V in the (4, 2, 2)-isogeny case, it is = J1 , so we actually simplify to (a length-1 possible that we obtain J 0 ( ) ( ) ) ( ) path J0 → A . Further, in the (4, 4)-isogeny case, we can even have J0 = J2 , and then we can simplify length-2 path (and the modified length-4 one) to ) original ( ) ( the the length-1 path J0 → A . SS J Corollary 7.5. The diameters of ΓSS 2 (2; p) and Γ2 (2; p) satisfy SS J SS diam(ΓSS 2 (2; p)) − 2 ≤ diam(Γ2 (2; p) ) ≤ 2 diam(Γ2 (2; p)).
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
AUTOMORPHISMS AND SUPERSPECIAL RICHELOT ISOGENY GRAPHS
123
Proof. The first inequality comes from the fact that every elliptic product has a Richelot isogeny to a Jacobian. For the second one, apply Lemma 7.3 repeatedly J to bound the distance between any two nodes in ΓSS 2 (2; p) . The lower bound of Corollary 7.5 is tight, as seen for ΓSS 2 (2; 521). Our experimental results suggest that the upper bound has some room for improvement. 8. An example: the superspecial Richelot graph for p = 47 We now exemplify our results on the Richelot isogeny graph for p = 47. The graph ΓSS 2 (2; 47) has an appropriate size to observe interesting behaviour. In particular, since p ≡ 11 mod 12 and p ≡ 2 mod 5, all of the vertex types described in Section 5 except Type-II appear. Table 4 lists the exact counts for each vertex type. Table 4. Vertex counts for each type in the graph ΓSS 2 (2; 47). Here AT denotes the subset of vertices of type T , while gT is the corresponding value of gi in Corollary 4.6. Type T #AT gT
A I II 14 31 0 1 2 –
III IV V VI 4 6 1 1 4 6 12 23
Σ 3 4
Π Π123 3 3 2 4
Π0 3 6
Σ123 1 16
Π0,123 1 12
Σ0 1 36
Let us compute the stationary distribution for the full graph ΓSS 2 (2; 47). First, we partition the vertex set according to each type: AType−A contains the 14 Type-A vertices, AType−I the 31 Type-I vertices, and so on. In the notation of Corollary 4.6, if Ai = AT for a type T , then the values of gi are the gT in Table 4. (In general, we would also have gII = 1/5.) Since all vertices have 15 Lagrangian subgroups in their two-torsion, Corollary 4.6 says that (after normalization) the stationary distribution is given by 1 whenever A is of type T . ϕ(A) ˜ = gT We can observe this partially in Figure 4. The picture lacks the edge weights, which we have omitted for the sake of clarity. Nevertheless, we see clearly that vertices with larger reduced automorphism groups are more isolated, because lots of isogenies are identified through automorphisms. This makes these vertices harder to reach in a random walk, so they have a smaller value in the stationary distribution. J and We may also compute the stationary distributions of ΓSS 2 (2; 47) E (2; 47) . Recall from Table 1 that the degrees in these graphs are no longer ΓSS 2 regular: for example, a Type-A varieties have 15 isogenies to other Jacobians, while Type-I varieties have 14 isogenies to other Jacobians and a single isogeny to a product of elliptic curves. The stationary probability for a vertex A of type T is ϕ(A) ˜ =
deg A gT
whenever A is of type T ,
where deg A is now the number of isogenies from A to vertices in the same graph, and gT is defined as above. J In this setting, the vertices which are not of Type-A in ΓSS 2 (2; 47) get more isolated, because they all have out-degree less than 15. On the other hand, the staE tionary distribution is uniformized slightly in ΓSS 2 (47; p) , because the vertices with
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
124
ENRIC FLORIT AND BENJAMIN SMITH
Figure 4. The superspecial Richelot isogeny graph for p = 47. Vertices are labeled with their types; unlabeled vertices are TypeA, with trivial reduced automorphism group. Loops are omitted. larger automorphism groups have one, two or three fewer isogenies to Jacobians. This can be seen in Figure 5. These phenomena generalize immediately to ΓSS 2 ( ; p) for all primes = p, due to the generality achieved in Theorem 4.9. Appendix A. Experimental diameters and λ for ΓSS 2 (2; p) The following table consists of experimental data computed for the graphs SS J SS E G = ΓSS 2 (2; p), J = Γ2 (2; p) and E = Γ2 (2; p) . The computed values are the diameters d(G), d(J) and d(E), and the (scaled) second-largest eigenvalues of each graph. In particular, the second eigenvalues of ΓSS 2 (2; p) support Conjecture 4.10. ˜ = 15λ . We use the notation λ ˜ (G) p d(G) d(J) d(E) λ 17 3 3 2 10.671
˜ (J) λ ˜ (E) λ 9.203 3.000
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
AUTOMORPHISMS AND SUPERSPECIAL RICHELOT ISOGENY GRAPHS
19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97 101 103 107 109 113 127 131 137 139 149 151 157 163 167 173 179 181 191 193 197 199 211 223 227 229 233 239 241 251 257
3 3 4 3 4 5 4 4 5 5 5 5 5 5 5 6 6 5 6 6 6 6 6 6 7 6 6 7 6 6 6 7 7 7 6 7 6 7 7 7 7 7 7 7 8 7 8 8
3 4 4 4 4 5 4 5 5 5 6 4 5 5 5 6 6 5 6 6 6 6 6 6 6 6 6 7 6 7 6 7 7 7 7 7 6 7 7 7 7 7 7 7 7 7 7 7
2 2 4 2 2 6 2 4 4 5 3 4 4 4 3 5 6 6 7 5 6 4 6 4 8 6 5 8 4 6 6 6 7 8 6 7 5 8 6 6 7 7 6 6 8 6 8 8
11.072 10.241 10.472 11.183 10.797 11.436 11.153 11.131 11.060 11.475 11.451 11.563 11.341 11.577 11.216 11.262 11.307 11.494 11.192 11.217 11.379 11.168 11.386 11.612 11.525 11.648 11.528 11.534 11.387 11.508 11.638 11.494 11.631 11.586 11.347 11.461 11.537 11.295 11.361 11.610 11.484 11.480 11.605 11.523 11.581 11.507 11.568 11.636
10.016 8.993 9.522 10.516 10.025 10.098 10.650 10.526 10.769 10.447 11.037 11.210 10.885 11.129 10.774 11.023 10.681 11.089 10.817 10.980 11.203 10.985 11.156 11.383 11.373 11.440 11.424 11.407 11.285 11.291 11.376 11.359 11.408 11.459 11.267 11.348 11.431 11.207 11.261 11.522 11.339 11.397 11.486 11.420 11.431 11.342 11.371 11.462
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
1.833 4.102 6.460 5.748 5.372 7.837 5.495 7.580 6.145 7.927 6.978 7.537 7.183 7.575 6.576 8.241 8.418 7.973 8.474 8.644 7.344 6.549 7.593 7.522 8.179 7.193 7.682 8.131 7.338 8.489 8.012 8.116 8.077 8.075 8.270 8.307 7.754 7.789 8.041 7.933 8.334 8.110 8.076 7.672 8.246 8.233 8.585 8.315
125
126
ENRIC FLORIT AND BENJAMIN SMITH
263 269 271 277 281 283 293 307 311 313 317 331 337 347 349 353 359 367 373 379 383 389 397 401 409 419 421 431 433 439 443 449 457 461 463 467 479 487 491 499 503 509 521 523 541 547 557 563
7 8 7 7 7 7 8 7 8 8 8 7 7 8 8 8 8 8 8 8 8 8 8 8 8 9 8 8 8 8 8 8 8 9 8 8 8 8 8 8 9 9 10 8 8 8 9 9
7 7 7 8 7 7 8 7 8 7 8 7 7 8 8 8 8 8 8 7 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 9 8 8 8 8 8 9
7 8 6 6 8 7 8 7 7 7 7 7 7 8 8 8 8 7 7 7 7 9 7 8 8 10 6 8 9 8 9 8 8 9 9 8 9 8 8 8 8 9 10 8 8 8 10 8
11.539 11.448 11.537 11.530 11.479 11.582 11.582 11.614 11.507 11.645 11.543 11.505 11.613 11.520 11.465 11.561 11.556 11.553 11.475 11.474 11.548 11.582 11.593 11.558 11.626 11.555 11.614 11.585 11.615 11.509 11.501 11.546 11.539 11.588 11.514 11.608 11.579 11.546 11.606 11.492 11.606 11.607 11.618 11.596 11.518 11.591 11.528 11.542
11.433 11.337 11.482 11.396 11.366 11.504 11.430 11.535 11.383 11.480 11.495 11.450 11.542 11.457 11.407 11.490 11.500 11.463 11.411 11.408 11.492 11.544 11.523 11.492 11.575 11.472 11.569 11.512 11.532 11.459 11.458 11.499 11.460 11.513 11.458 11.561 11.524 11.512 11.529 11.457 11.529 11.542 11.566 11.545 11.469 11.555 11.490 11.486
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
7.640 8.405 8.037 7.935 8.297 8.272 8.390 8.244 8.411 8.439 7.922 8.018 8.005 8.185 8.485 8.143 8.311 8.352 8.259 8.202 8.351 8.280 8.368 8.315 8.354 8.552 8.015 8.276 8.516 8.389 8.287 8.178 8.429 8.452 8.394 8.332 8.202 8.320 8.217 8.168 8.209 8.431 8.295 8.338 8.255 8.282 8.277 8.360
AUTOMORPHISMS AND SUPERSPECIAL RICHELOT ISOGENY GRAPHS
569 571 577 587 593 599 601
9 8 8 9 9 9 8
8 8 8 9 8 9 8
10 8 8 9 10 9 8
11.573 11.605 11.612 11.628 11.642 11.535 11.553
11.525 11.560 11.490 11.565 11.565 11.481 11.518
127
8.366 8.262 8.438 8.362 8.446 8.449 8.219
Appendix B. Explicit formulæ for genus-2 computations This appendix collects useful formulæ for computing explicit Richelot isogenies, and identifying the reduced automorphism groups of abelian surfaces. B.1. Richelot isogenies. Let C : y 2 = F (x) be a genus-2 curve, with F squarefree of degree 5 or 6. The Lagrangian subgroups of J (C)[2] correspond to factorizations of F into quadratics (of which one may be linear, if deg(F ) = 5): C : y 2 = F (x) = F1 (x)F2 (x)F3 (x), up to permutation of the Fi and constant multiples. We call such factorizations quadratic splittings. Fix one such quadratic splitting {F1 , F2 , F3 }; then the corresponding subgroup K ⊂ J (C)[2] is the kernel of a (2, 2)-isogeny φ : J (C) → J (C)/K. For each 1 ≤ i ≤ 3, we write Fi (x) = Fi,2 x2 + Fi,1 x + Fi,0 . Now let F1,0 F1,1 F1,2 δ = δ(F1 , F2 , F3 ) := F2,0 F2,1 F2,2 . F3,0 F3,1 F3,2 If δ(F1 , F2 , F3 ) = 0, then J (C)/K is isomorphic to a Jacobian J (C ), which we can compute using Richelot’s algorithm (see [5] and [39, §8]). First, let G1 (x) := δ −1 · (F2 (x)F3 (x) − F3 (x)F2 (x)), G2 (x) := δ −1 · (F3 (x)F1 (x) − F1 (x)F3 (x)), G3 (x) := δ −1 · (F1 (x)F2 (x) − F2 (x)F1 (x)). Now the isogenous Jacobian is J (C ), where C is the curve C : y 2 = G(x) = G1 (x)G2 (x)G3 (x) and the quadratic splitting {G1 , G2 , G3 } corresponds to the kernel of the dual isogeny φ† : J (C ) → J (C). The Fi and Gi are related by the identity F1 (x1 )G1 (x2 ) + F2 (x1 )G2 (x2 ) + F3 (x1 )G3 (x2 ) + (x1 − x2 )2 = 0. Bruin and Doerksen present a convenient form for a divisorial correspondence R ⊂ C × C inducing the isogeny φ (see [7, §4]): ⎧ ⎪ ⎨F1 (x1 )G1 (x2 ) + F2 (x1 )G2 (x2 ) = 0, (B.1) R : F1 (x1 )G1 (x2 )(x1 − x2 ) = y1 y2 , ⎪ ⎩ F2 (x1 )G2 (x2 )(x1 − x2 ) = −y1 y2 . If δ(F1 , F2 , F3 ) = 0, then J (C)/K is isomorphic to an elliptic product E × E . Let D(λ) be the discriminant of the quadratic polynomial F1 + λF2 , and let λ1 and λ2 be the roots of D(λ); then F1 + λ1 F2 = U 2 and F1 + λ2 F2 = V 2 for some linear polynomials U and V . Now F1 = α1 U 2 + β1 V 2 and F2 = α2 U 2 + β2 V 2 for some
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
128
ENRIC FLORIT AND BENJAMIN SMITH
(a) Jacobian subgraph
(b) Elliptic product subgraph
Figure 5. The subgraphs ΓSS 2 (2; 47) supported on Jacobians (left) and elliptic products (right). Vertex positions are mantained with respect to Figure 4. α1 , β1 , α2 , and β2 , and since in this case F3 is a linear combination of F1 and F2 , we must have F3 = α3 U 2 + β3 V 2 for some α3 and β3 . Now, rewriting the defining equation of C as 3 % (αi U 2 + βi V 2 ), C :Y2 = i=1
it is clear that the elliptic curves E :Y = 2
3 %
(αi X + βi Z)
and
i=1
E :Y = 2
3 %
(βi X + αi Z)
i=1
are the images of double covers π : C → E and π : C → E defined by π((X : Y : Z)) = (U : Y : V ) and π ((X : Y : Z)) = (V : Y : U ), respectively. The product of these covers induces the isogeny φ : J (C) → E × E . B.2. Isogenies from elliptic products. Consider a generic pair of elliptic curves over k, defined by E : y 2 = (x − s1 )(x − s2 )(x − s3 ) and E : y 2 = (x − s1 )(x − s2 )(x − s3 ). We have E[2] = {0E , P1 , P2 , P3 } and E [2] = {0E , P1 , P2 , P3 } where Pi := (si , 0) and Pi := (si , 0). For each 1 ≤ i ≤ 3, we let ψi : E −→ Ei := E/Pi and
ψi : E → Ei := E /Pi
be the quotient 2-isogenies. These can be computed using V´elu’s formulæ [44]. The fifteen Lagrangian subgroups of (E × E )[2] fall naturally into two kinds. Nine of the kernels correspond to products of 2-isogeny kernels in E[2]. Namely, for each 1 ≤ i, j ≤ 3 we have a subgroup Ki,j := (Pi , 0E ), (0E , Pi ) ⊂ (E × E )[2],
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
AUTOMORPHISMS AND SUPERSPECIAL RICHELOT ISOGENY GRAPHS
129
and a quotient isogeny φi,j : E × E → (E × E )/Ki,j ∼ = Ei × Ej . Of course, φi,j = ψi × ψj ; we can thus compute φi,j , and the codomains Ei × Ej , using V´elu’s formulæ as above. The other six kernels correspond to 2-Weil anti-isometries E[2] ∼ = E [2]: they are ), (P2 , Pπ(2) ), (P3 , Pπ(3) )} for π ∈ Sym({1, 2, 3}), Kπ := {(0E , 0E ), (P1 , Pπ(1)
with quotient isogenies φπ : E × E → Aπ := (E × E )/Kπ . is induced by an isomorphism E → E , then Aπ is If the anti-isometry Pi → Pπ(i) isomorphic to E × E ; otherwise, it is the Jacobian of a genus-2 curve Cπ , which we can compute using the formulæ below (taken from [22, Proposition 4]). ) for 1 ≤ i ≤ 3, let Writing αi := x(Pi ) and βi := x(Pπ(i)
(α3 − α2 )2 (α2 − α1 )2 (α1 − α3 )2 + + , β3 − β2 β2 − β1 β1 − β3 (β3 − β2 )2 (β2 − β1 )2 (β1 − β3 )2 b1 := + + , α3 − α2 α2 − α1 α1 − α3 a2 := α1 (β3 − β2 ) + α2 (β1 − β3 ) + α3 (β2 − β1 ),
a1 :=
b2 := β1 (α3 − α2 ) + β2 (α1 − α3 ) + β3 (α2 − α1 ), A := Δ · a1 /a2 where Δ := (β2 − β3 )2 (β1 − β3 )2 (β1 − β2 )2 , B := Δ · b1 /b2 where Δ := (α2 − α3 )2 (α1 − α3 )2 (α1 − α2 )2 , and finally F1 := A(α2 − α1 )(α1 − α3 )X 2 + B(β2 − β1 )(β1 − β3 )Z 2 , F2 := A(α3 − α2 )(α2 − α1 )X 2 + B(β3 − β2 )(β2 − β1 )Z 2 , F3 := A(α1 − α3 )(α3 − α2 )X 2 + B(β1 − β3 )(β3 − β2 )Z 2 . Now the curve Cπ may be defined by Cπ : Y 2 = −F1 (X, Z)F2 (X, Z)F3 (X, Z). The dual isogeny φ†π : J (Cπ ) → E × E corresponds to the quadratic splitting {F1 , F2 , F3 }. B.3. Identifying reduced automorphism types of Jacobians. We can identify the isomorphism class of a Jacobian J (C) using the Clebsch invariants A, B, C, D of C, which are homogeneous polynomials of degree 2, 4, 6, and 10 in the coefficients of the sextic defining C. These invariants should be seen as coordinates on the weighted projective space P(2, 4, 6, 10): that is, (A : B : C : D) = (λ2 A : λ4 B : λ6 C : λ10 D) for all nonzero λ in k. The Clebsch invariants can be computed using a series of transvectants involving the sextic (see [33, §1]), but it is more convenient to use (for example) ClebschInvariants in Magma [4] or clebsch invariants from the sage.schemes.hyperelliptic curves.invariants library of Sage [43]. If C/Fp is superspecial, then (A : B : C : D) are in Fp2 .
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
130
ENRIC FLORIT AND BENJAMIN SMITH
To determine RA(J (C)) for a given genus-2 C, we use necessary and sufficient conditions on the Clebsch invariants derived by Bolza [3, §11], given here in Table 6. These criteria involve some derived invariants: following Mestre’s notation [33], let 1 2 1 1 A12 = (B 2 + AC), A23 = B · A12 + C · A11 , A11 = 2C + AB, 3 3 2 3 1 1 A22 = D, A31 = D, A33 = B · A22 + C · A12 2 3 (recall again that char k is not 2 or 3). Finally, the R-invariant is defined by A11 A12 A31 1 R2 = A12 A22 A23 . 2 A A23 A33 31 Table 6. The classification of reduced automorphism groups of Jacobian surfaces, with necessary and sufficient conditions on the Clebsch invariants for each type. Type Type-A Type-I Type-II Type-III Type-IV Type-V Type-VI
RA(J (C)) Conditions on Clebsch invariants 1 R = 0, (A : B : C : D) = (0 : 0 : 0 : 1) C2 R = 0 and A11 A22 = A12 C5 (A : B : C : D) = (0 : 0 : 0 : 1) BA11 − 2AA12 = −6D, D = 0, C22 CA11 + 2BA12 = AD, 6C 2 = B 3 6C 2 = B 3 , 3D = 2BA11 , S3 2AB = 15C, D = 0 D2×6 6B = A2 , D = 0, A11 = 0, A = 0 S4 (A : B : C : D) = (1 : 0 : 0 : 0)
References [1] Sinan Aksoy, Fan Chung, and Xing Peng, Extreme values of the stationary distribution of random walks on directed graphs, Adv. in Appl. Math. 81 (2016), 128–155, DOI 10.1016/j.aam.2016.06.012. MR3551666 [2] Reza Azarderakhsh, Brian Koziel, Matt Campagna, Brian LaMacchia, Craig Costello, Patrick Longa, Luca De Feo, Michael Naehrig, Basil Hess, Joost Renes, Amir Jalali, Vladimir Soukharev, David Jao, and David Urbanik, Supersingular Isogeny Key Encapsulation, http://sike.org, 2017. [3] Oskar Bolza, On binary sextics with linear transformations into themselves, Amer. J. Math. 10 (1887), no. 1, 47–70, DOI 10.2307/2369402. MR1505464 [4] Wieb Bosma, John J. Cannon, Claus Fieker, and Allan Steel, Handboook of Magma functions, 2.25 ed., January 2020. [5] Jean-Benoˆıt Bost and Jean-Fran¸cois Mestre, Moyenne arithm´ etico-g´ eom´ etrique et p´ eriodes des courbes de genre 1 et 2 (French), Gaz. Math. 38 (1988), 36–64. MR970659 [6] Bradley Wayne Brock, Superspecial curves of genera two and three, ProQuest LLC, Ann Arbor, MI, 1993. Thesis (Ph.D.)–Princeton University. MR2689446 [7] Nils Bruin and Kevin Doerksen, The arithmetic of genus two curves with (4, 4)-split Jacobians, Canad. J. Math. 63 (2011), no. 5, 992–1024, DOI 10.4153/CJM-2011-039-3. MR2866068 [8] Reinier Br¨ oker, Kristin Lauter, and Andrew V. Sutherland, Modular polynomials via isogeny volcanoes, Math. Comp. 81 (2012), no. 278, 1201–1231, DOI 10.1090/S0025-5718-2011-025081. MR2869057
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
AUTOMORPHISMS AND SUPERSPECIAL RICHELOT ISOGENY GRAPHS
131
[9] Wouter Castryck, Thomas Decru, and Benjamin Smith, Hash functions from superspecial genus-2 curves using Richelot isogenies, J. Math. Cryptol. 14 (2020), no. 1, 268–292, DOI 10.1515/jmc-2019-0021. MR4134760 [10] Wouter Castryck, Tanja Lange, Chloe Martindale, Lorenz Panny, and Joost Renes, CSIDH: an efficient post-quantum commutative group action, Advances in cryptology—ASIACRYPT 2018. Part III, Lecture Notes in Comput. Sci., vol. 11274, Springer, Cham, 2018, pp. 395–427, DOI 10.1007/978-3-030-03332-3 15. MR3897883 [11] Denis X. Charles, Eyal Z. Goren, and Kristin E. Lauter, Families of Ramanujan graphs and quaternion algebras, Groups and symmetries, CRM Proc. Lecture Notes, vol. 47, Amer. Math. Soc., Providence, RI, 2009, pp. 53–80, DOI 10.1090/crmp/047/05. MR2500554 [12] Denis X. Charles, Kristin E. Lauter, and Eyal Z. Goren, Cryptographic hash functions from expander graphs, J. Cryptology 22 (2009), no. 1, 93–113, DOI 10.1007/s00145-007-9002-x. MR2496385 [13] Craig Costello and Benjamin Smith, The supersingular isogeny problem in genus 2 and beyond, Post-quantum cryptography, Lecture Notes in Comput. Sci., vol. 12100, Springer, c Cham, [2020] 2020, pp. 151–168, DOI 10.1007/978-3-030-44223-1 9. MR4139650 [14] Luca De Feo, David Jao, and J´ erˆ ome Plˆ ut, Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies, J. Math. Cryptol. 8 (2014), no. 3, 209–247, DOI 10.1515/jmc-2012-0015. MR3259113 [15] Enric Florit and Benjamin Smith, An atlas of the superspecial richelot isogeny graph, Preprint: https://hal.inria.fr/hal-03094296, 2020. [16] E. V. Flynn and Yan Bo Ti, Genus two isogeny cryptography, Post-quantum cryptography, Lecture Notes in Comput. Sci., vol. 11505, Springer, Cham, 2019, pp. 286–306, DOI 10.1007/978-3-030-25510-7 16. MR3989010 [17] Mireille Fouquet and Fran¸cois Morain, Isogeny volcanoes and the SEA algorithm, Algorithmic number theory (Sydney, 2002), Lecture Notes in Comput. Sci., vol. 2369, Springer, Berlin, 2002, pp. 276–291, DOI 10.1007/3-540-45455-1 23. MR2041091 [18] Steven D. Galbraith, Christophe Petit, and Javier Silva, Identification protocols and signature schemes based on supersingular isogeny problems, Advances in cryptology—ASIACRYPT 2017. Part I, Lecture Notes in Comput. Sci., vol. 10624, Springer, Cham, 2017, pp. 3–33, DOI 10.1007/978-3-319-70694-8 1. MR3747691 [19] The GAP Group, GAP – Groups, Algorithms, and Programming, Version 4.11.0, 2020. ´ Schost, On the invariants of the quotients of the Jacobian of a curve [20] P. Gaudry and E. of genus 2, Applied algebra, algebraic algorithms and error-correcting codes (Melbourne, 2001), Lecture Notes in Comput. Sci., vol. 2227, Springer, Berlin, 2001, pp. 373–386, DOI 10.1007/3-540-45624-4 39. MR1913484 [21] Shlomo Hoory, Nathan Linial, and Avi Wigderson, Expander graphs and their applications, Bull. Amer. Math. Soc. (N.S.) 43 (2006), no. 4, 439–561, DOI 10.1090/S0273-0979-06-011268. MR2247919 [22] Everett W. Howe, Franck Lepr´ evost, and Bjorn Poonen, Large torsion subgroups of split Jacobians of curves of genus two or three, Forum Math. 12 (2000), no. 3, 315–364, DOI 10.1515/form.2000.008. MR1748483 [23] Tomoyoshi Ibukiyama, Toshiyuki Katsura, and Frans Oort, Supersingular curves of genus two and class numbers, Compositio Math. 57 (1986), no. 2, 127–152. MR827350 [24] David Jao and Luca De Feo, Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies, Post-quantum cryptography, Lecture Notes in Comput. Sci., vol. 7071, Springer, Heidelberg, 2011, pp. 19–34, DOI 10.1007/978-3-642-25405-5 2. MR2931459 [25] Bruce W. Jordan and Yevgeny Zaytman, Isogeny graphs of superspecial abelian varieties and generalized Brandt matrices, preprint, arXiv:2005.09031 [math.NT], 2020. [26] Toshiyuki Katsura and Katsuyuki Takashima, Counting Richelot isogenies between superspecial abelian surfaces, ANTS XIV—Proceedings of the Fourteenth Algorithmic Number Theory Symposium, Open Book Ser., vol. 4, Math. Sci. Publ., Berkeley, CA, 2020, pp. 283– 300, DOI 10.2140/obs.2020.4.283. MR4235119 [27] David Russell Kohel, Endomorphism rings of elliptic curves over finite fields, ProQuest LLC, Ann Arbor, MI, 1996. Thesis (Ph.D.)–University of California, Berkeley. MR2695524
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
132
ENRIC FLORIT AND BENJAMIN SMITH
[28] David A. Levin and Yuval Peres, Markov chains and mixing times, American Mathematical Society, Providence, RI, 2017. Second edition of [ MR2466937]; With contributions by Elizabeth L. Wilmer; With a chapter on “Coupling from the past” by James G. Propp and David B. Wilson, DOI 10.1090/mbk/107. MR3726904 [29] Ke-Zheng Li and Frans Oort, Moduli of supersingular abelian varieties, Lecture Notes in Mathematics, vol. 1680, Springer-Verlag, Berlin, 1998, DOI 10.1007/BFb0095931. MR1611305 [30] L. Lov´ asz, Random walks on graphs: a survey, Combinatorics, Paul Erd˝ os is eighty, Vol. 2 (Keszthely, 1993), Bolyai Soc. Math. Stud., vol. 2, J´ anos Bolyai Math. Soc., Budapest, 1996, pp. 353–397. MR1395866 [31] Ricardo Menares, Equidistribution of Hecke points on the supersingular module, Proc. Amer. Math. Soc. 140 (2012), no. 8, 2687–2691, DOI 10.1090/S0002-9939-2011-11148-1. MR2910756 [32] J.-F. Mestre, La m´ ethode des graphes. Exemples et applications (French), Proceedings of the international conference on class numbers and fundamental units of algebraic number fields (Katata, 1986), Nagoya Univ., Nagoya, 1986, pp. 217–242. MR891898 [33] Jean-Fran¸cois Mestre, Construction de courbes de genre 2 ` a partir de leurs modules (French), Effective methods in algebraic geometry (Castiglioncello, 1990), Progr. Math., vol. 94, Birkh¨ auser Boston, Boston, MA, 1991, pp. 313–334. MR1106431 [34] Frans Oort, A stratification of a moduli space of abelian varieties, Moduli of abelian varieties (Texel Island, 1999), Progr. Math., vol. 195, Birkh¨ auser, Basel, 2001, pp. 345–416, DOI 10.1007/978-3-0348-8303-0 13. MR1827027 [35] Arnold K. Pizer, Ramanujan graphs and Hecke operators, Bull. Amer. Math. Soc. (N.S.) 23 (1990), no. 1, 127–137, DOI 10.1090/S0273-0979-1990-15918-X. MR1027904 [36] Friedrich Julius Richelot, Essai sur une m´ ethode g´ en´ erale pour d´ eterminer les valeurs des int´ egrales ultra-elliptiques, fond´ ee sur des transformations remarquables de ces trnscendates, Comptes Rendus Math´ ematique. Acad´emie des Sciences. Paris 2 (1836), 622–627. [37] Fried. Jul. Richelot, De transformatione integralium Abelianorum primi ordinis commentatio (Latin), J. Reine Angew. Math. 16 (1837), 221–284, DOI 10.1515/crll.1837.16.221. MR1578134 [38] Alexander Rostovtsev and Anton Stolbunov, Public-key cryptosystem based on isogenies, Cryptology ePrint Archive, Report 2006/145, April 2006. [39] Benjamin Smith, Explicit endomorphisms and correspondences, Ph.D. thesis, University of Sydney, 2005. [40] Anton Stolbunov, Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves, Adv. Math. Commun. 4 (2010), no. 2, 215–235, DOI 10.3934/amc.2010.4.215. MR2654134 [41] Andrew V. Sutherland, Identifying supersingular elliptic curves, LMS J. Comput. Math. 15 (2012), 317–325, DOI 10.1112/S1461157012001106. MR2988819 [42] Katsuyuki Takashima, Efficient algorithms for isogeny sequences and their cryptographic applications, Mathematical modelling for next-generation cryptography, Math. Ind. (Tokyo), vol. 29, Springer, Singapore, 2018, pp. 97–114. MR3586863 [43] The Sage Developers, Sagemath, the Sage Mathematics Software System (Version 9.1), 2020, https://www.sagemath.org. [44] Jacques V´ elu, Isog´ enies entre courbes elliptiques (French), C. R. Acad. Sci. Paris S´er. A-B 273 (1971), A238–A241. MR294345 [45] Paul M. Weichsel, The Kronecker product of graphs, Proc. Amer. Math. Soc. 13 (1962), 47–52, DOI 10.2307/2033769. MR133816 `tiques i Infoma `tica, Universitat de Barcelona(UB), Gran Departament de Matema Via de les Corts Catalanes 585, 08007 Barcelona, Spain Email address: [email protected] ´ Inria and Laboratoire d’Informatique (LIX), CNRS, Ecole polytechnique, Institut Polytechnique de Paris, 91120 Palaiseau, France Email address: [email protected]
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
Contemporary Mathematics Volume 779, 2022 https://doi.org/10.1090/conm/779/15673
Frobenius structures on hypergeometric equations Kiran S. Kedlaya Abstract. We give an exposition of Dwork’s construction of Frobenius structures associated to generalized hypergeometric equations via the interpretation of the latter due to Gelfand–Kapranov–Zelevinsky in the language of Ahypergeometric systems. As a consequence, we extract some explicit formulas for the degeneration at 0 in terms of the Morita p-adic gamma function.
1. Introduction Hypergeometric differential equations, of arbitrary order, provide some key examples of Picard–Fuchs equations and of rigid local systems. As such, they admit p-adic analytic Frobenius structures which interpolate the zeta functions associated to certain motives over finite fields. The purpose of this note is to extract from Dwork’s book [16] an explicit construction of Frobenius structures on hypergeometric equations (see Theorem 4.1.2), and in particular a formula for the residue at 0 (see Corollary 4.3.3), using Ahypergeometric systems in the sense of Gelfand–Kapranov–Zelevinsky [22] (which we introduce in very little detail in §3). We also give a brief indication of how this knowledge can be used as the basis for an efficient algorithm to compute the action of Frobenius on the (rational) crystalline realizations of hypergeometric motives, in the style of Lauder’s deformation method [36]. We have implemented this method in SageMath [33] and gotten good results in practice; however, some further analysis is needed on the tradeoff between rigor and efficiency caused by the choice of working precision for certain power series and p-adic coefficients (see Remark 5.3.1). 2. Generalities We first recall some general facts and definitions concerning ordinary differential equations, including the definition of a Frobenius structure. 2020 Mathematics Subject Classification. Primary 33C20, 12H25. The author was supported by NSF (grants DMS-1501214, DMS-1802161, DMS-2053473), UCSD (Warschawski Professorship), and the IAS School of Mathematics (Visiting Professorship 2018–2019). Additional funding/hospitality was provided by ICTP (September 2017), HRIM–Bonn (March 2018), KIAS–Seoul (August 2019), AIM (August 2019), EPSRC (grant EP/K034383/1), and the Simons Collaboration on Arithmetic Geometry, Number Theory, and Computation. c 2022 Copyright by Kiran S. Kedlaya
133
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
134
KIRAN S. KEDLAYA
2.1. Ordinary differential equations. We first recall some standard concepts in order to set notation for them. Definition 2.1.1. Let D be a differential operator acting on a field F of characteristic zero. By a D-differential equation, we will always mean a homogeneous linear differential equation in the variable y of the form (2.1.1.1)
Dn (y) + an−1 Dn−1 (y) + · · · + a0 y = 0
with a0 , . . . , an−1 ∈ F . For uniformity of notation, we set an = 1. By a D-differential system of rank n, we will mean an equation in the variable v (a column vector of length n) of the form (2.1.1.2)
N v + D(v) = 0,
where N is an n × n matrix over F . This is the same structure as a connection over F whose underlying module is equipped with a distinguished basis. Remark 2.1.2. Given the equation (2.1.1.1), let N be the companion matrix ⎞ ⎛ 0 −1 · · · 0 0 ⎜0 0 0 0 ⎟ ⎟ ⎜ ⎜ .. .. ⎟ ; . .. N =⎜. . ⎟ ⎟ ⎜ ⎝0 0 0 −1 ⎠ a0 a1 · · · an−2 an−1 then the solutions of (2.1.1.2) are precisely the ⎛ y ⎜ D(y) ⎜ v=⎜ .. ⎝ .
vectors of the form ⎞
⎟ ⎟ ⎟ ⎠ Dn−1 (y)
where y is a solution of (2.1.1.1). Conversely, given the equation (2.1.1.2), note that for U an invertible n × n matrix over F , the equation NU w + D(w) = 0,
NU := U −1 N U + U −1 D(U )
is equivalent to the original equation via the substitutions v → U w,
w → U −1 v.
The cyclic vector theorem (see for example [32, Theorem 5.4.2]) then implies that for any choice of N , there exists some U for which NU is a companion matrix. However, there is typically no natural choice of U . Definition 2.1.3. Let X be a locally ringed space over Spec Q. Let Ω be a coherent sheaf on X equipped with a derivation d : OX → Ω. A connection on X (with respect to d) consists of a pair (E, ∇) in which E is a vector bundle (locally free coherent sheaf) E on X and ∇ : E → E ⊗OX Ω is an additive morphism satisfying the Leibniz rule with respect to d: for U ⊆ X open, f ∈ Γ(U, O), v ∈ Γ(U, E), we have d(f v) = f ∇(v) + v ⊗ d(f ). We also refer to such a pair as being a connection on E. The elements of the kernel of ∇ on E(U ) are called the horizontal sections of E, or more precisely of (E, ∇), over U .
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
FROBENIUS STRUCTURES ON HYPERGEOMETRIC EQUATIONS
135
Given two connections (E1 , ∇1 ), (E2 , ∇2 ), the tensor product is the connection (E1 ⊗OX E2 , ∇) given by ∇(f v ⊗ w) = f ∇1 (v) ⊗ w + f v ⊗ ∇2 (w) + d(f ) ⊗ v ⊗ w. Given a connection (E, ∇), the dual is the unique connection whose underlying bundle is the modulo-theoretic dual E ∨ for which the canonical pairing E ⊗E ∨ → OX is a morphism of connections. ⊕n Remark 2.1.4. In the case where X = Spec F , Ω = OX , d = D, and E = OX , any connection on E has the form v → N v + D(v) for some n × n matrix N over F (and conversely any such matrix defines a connection). The solutions of the equation (2.1.1.1) then correspond to the horizontal sections of E over X. The dual connection (with the dual basis) corresponds to the matrix −N T .
Definition 2.1.5. Let F {D} denote the Ore polynomial ring in D; it is a noncommutative F -algebra whose underlying set coincides with that of F [D], but whose multiplication is characterized by the identity Dx − xD = D(x)
(x ∈ F ).
Then a connection on Spec F is the same as a left F {D}-module whose underlying F -vector space is identified with the set of length-n column vectors over F , with the action of D given by v → N v + D(v); passing from N to NU amounts to changing basis on this vector space via the matrix U . Given a D-differential system defined by a D-differential equation (2.1.1.1), the dual of the corresponding connection is the left F {D}-module F {D}/F {D}(Dn + an−1 Dn−1 + · · · + a0 ). 2.2. Regular singularities. Throughout §2.2, let K be a field of characteristic 0. Definition 2.2.1. In the notation of §2.1, take F = K(z) to be equipped with d the derivation D = z dz . We then say that the equation (2.1.1.1) is regular at 0 if ord0 (ai ) ≥ 0 for i = 0, . . . , n − 1. We say that (2.1.1.2) is regular at 0 if ord0 (Nij ) ≥ 0 for i, j = 1, . . . , n. Definition 2.2.2. With notation as in Definition 2.2.1, fix an algebraic closure of K. Define the local exponents at 0 of the equation (2.1.1.2) to be the negations of the roots of the characteristic polynomial of N |z=0 . By the classical theory of regular (Fuchsian) singularities, the images of the local exponents under exp(2πi•) compute the eigenvalues of local monodromy around z = 0. Note that this only uses the values of the exponents modulo Z; in fact it is only these residues that are intrinsic under meromorphic changes of coordinates, as one can make integral shifts using shearing transformations [32, Proposition 7.3.10]. Definition 2.2.3. Now in the notation of §2.1, take F = K(z) to be equipped d . For z0 ∈ P1K , the equation (2.1.1.2) is regular at z0 if with the derivation D = dz the entries of N have at worst simple poles at z = z0 ; for z = 0, this is consistent with Definition 2.2.1. The equation (2.1.1.1) is regular at z0 if the corresponding matrix equation is; for z0 ∈ A1K , this translates into the condition ordz0 (ai ) ≥ i − n
(i = 0, . . . , n − 1).
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
136
KIRAN S. KEDLAYA
2.3. Frobenius structures on differential equations. Hypothesis 2.3.1. Throughout §2.3, fix a prime p. Let X be an open subspace of P1Qp . Let Z be the complement of X in P1Qp ; to simplify notation, we assume that {0, ∞} ⊆ Z. Definition 2.3.2. By a Frobenius lift, we will mean a Qp -linear map σ : O(X) → O(X) such that σ(z) − z p ∈ pZp [z](p) . For instance, we may take σ(z) = z p ; we call this the standard Frobenius lift (with respect to the coordinate z). 1 Definition 2.3.3. Let P1,an Qp be the analytification of PQp in the sense of rigid analytic geometry. (For the purposes of this discussion, we use Tate’s model of p-adic analytic geometry; however any of the equivalent models of p-adic analytic geometry may be used instead, such as Berkovich spaces or Huber adic spaces.) Let (E, ∇) be a connection on X. We define a Frobenius structure on (E, ∇) with respect to the Frobenius lift σ as an isomorphism σ ∗ E ∼ = E of vector bundles with connection on some subspace V of P1,an Qp whose complement consists of a union of closed discs, each contained in the open unit disc around some point of Z. More generally, for (E , ∇ ) another connection on X, we define a Frobenius intertwiner from (E, ∇) to (E , ∇ ) with respect to the Frobenius lift σ to be an isomorphism σ ∗ E ∼ = E of vector bundles with connection on some subspace V as above.
Remark 2.3.4. In the context of Remark 2.1.4, a Frobenius intertwiner corresponds to an invertible n × n matrix Φ with entries in the ring O(V ) satisfying (2.3.4.1)
N Φ − cσ σ(N ) + D(Φ) = 0,
cσ =
D(σ(z)) σ(dz/z) = . dz/z σ(z)
The effect of changing basis by two invertible matrices U, U is to replace Φ with ΦU,U := U −1 Φσ(U ), which defines a Frobenius intertwiner from NU to NU . Remark 2.3.5. When a Frobenius intertwiner exists, one can always rescale it by an invertible elements of Qp . In many cases, one can show that there can be at most one Frobenius structure up to rescaling (see Lemma 2.3.6 below); however, we will need some extra information in order to normalize for this scalar ambiguity. Lemma 2.3.6. Let (E, ∇) and (E , ∇ ) be two connections on X satisfying the following conditions. (a) The restriction of (E, ∇) to some open unit disc is trivial. (b) The points of Z are pairwise noncongruent modulo p. (c) At each z ∈ Z, (E , ∇ ) is regular with exponents in Z(p) . (d) The connection (E , ∇ ) is irreducible over Qp (z). Then up to Q× p -scalar multiplication, there exists at most one Frobenius interwiner from (E, ∇) to (E , ∇ ). Proof. By Baldassari’s theorem on continuity of the radius of convergence of p-adic differential equations [3], condition (a) implies triviality of (E, ∇) also on the restriction to a generic open unit disc. With this, we may apply [14] to conclude.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
FROBENIUS STRUCTURES ON HYPERGEOMETRIC EQUATIONS
137
Remark 2.3.7. While the definition of a Frobenius intertwiner was made in terms of the chosen Frobenius lift σ, there is a certain independence from this choice: for any other Frobenius lift σ ˜ , there is a functorial way to transform Frobenius intertwiners with respect to σ into Frobenius intertwiners with respect to σ ˜ using the Taylor isomorphism. As we will mostly be concerned with Frobenius defined with respect to a fixed Frobenius lift z → z p , we will not develop this point here; see for example [32, §17.3]. Lemma 2.3.8. Let D0 denote the open unit disc around 0, and suppose that Z ∩ D0 = {0}. Let (E, ∇), (E , ∇ ) be connections on X which are regular at 0 with exponents in Q ∩ Z(p) . Suppose that there exists a Frobenius intertwiner Φ from (E, ∇) to (E , ∇ ) with respect to the standard Frobenius lift σ. (a) As multisets of Q/Z, the local exponents of (E , ∇ ) at 0 correspond to p times the local exponents of (E, ∇). (b) On D0 , we have decompositions 1 1 Eλ , E ∼ Eμ E∼ = = λ∈Z(p) ∩[0,1)
μ∈Z(p) ∩[0,1)
Eμ )
d of connections such that Eλ (resp. admits a basis on which D = z dz acts by multiplication by λ (resp. μ) plus a nilpotent scalar matrix. (c) Any Frobenius structure Φ on (E, ∇) extends holomorphically to the punctured open unit disc around 0 and meromorphically across 0. More precisely, with bases as in (b), for λ, μ ∈ Z(p) ∩ [0, 1) with pλ ≡ μ (mod Z), Φ carries σ ∗ Eλ into Eμ and tpμ−λ Φ acts holomorphically on the chosen bases.
Proof. Suppose first that the exponents at 0 are all in Z. In this case, (a) is trivial, (b) follows from [32, Proposition 17.5.1], and (c) follows from (b) by logic as in Remark 2.3.10 below. To treat the general case, let m be the least common denominator of the exponents; then pulling back along z → z m gives another pair of connections admitting a Frobenius intertwiner, to which we may apply the previous argument to deduce the claim. Compare the proof of [34, Lemma 2.3]. Remark 2.3.9. By making the substitution z → z −1 , we may immediately infer that Lemma 2.3.8 holds with the point 0 replaced by ∞. The same does not apply directly to other points of P1Qp because the relevant substitutions change the Frobenius lift; however, by Remark 2.3.7 we may still infer that Lemma 2.3.8(a) holds at any point of P1Qp . We next introduce the idea that one can compute a Frobenius structure by solving a differential equation and imposing an initial condition. Remark 2.3.10. Assuming that a given pair of connections given by matrices N, N admits a Frobenius intertwiner Φ for the standard Frobenius lift σ, one can attempt to compute it by first finding formal solution matrices U, U of N, N at 0, i.e., finding invertible matrices U, U over Qp z for which NU and NU are scalar matrices. In the context of hypergeometric equations, we will even have explicit formulas for U, U in terms of hypergeometric series and their derivatives. We may further ensure that NU , NU are block diagonal matrices with blocks indexed by λ ∈ Z(p) ∩ [0, 1), in which each of the blocks Nλ , Nλ equals λ plus a
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
138
KIRAN S. KEDLAYA
nilpotent matrix. In this case, ΦU is itself a block permutation matrix with nonzero (λ, μ)-block whenever pλ ≡ μ (mod Z). If we call this block Φλ , as per (2.3.4.1) we have Nμ Φλ + D(Φλ ) = pΦλ Nλ . (Here we have replaced σ(Nλ ) with Nλ because Nλ has entries in Q p , which are n fixed by σ.) Since Nλ and Nμ are scalar matrices, we may write Φλ = ∞ n=−∞ Φn z and see that Nμ Φn + nΦn = pΦn Nλ ; since Nλ − λ and Nμ − μ are nilpotent, this implies that Φn = 0 unless μ + n = pλ; that is, Φλ equals tpλ−μ times an invertible matrix over Qp . Remark 2.3.11. Keeping notation as in Remark 2.3.10, by writing Φ in the form U ΦU σ(U )−1 , we can express the entries of Φ as elements of Qp z. In order to be a Frobenius structure, these series have to also represent entries of O(V ) for some V ; this in particular implies that the series in Qp z we are considering have bounded coefficients, that is, they belong to the subring Zp z[p−1 ] of Qp z. This containment generally does not hold “by accident.” For a typical differential equation, there is no choice of the scalar matrices Φλ,0 := tμ−pλ Φλ for which this last containment holds; in this case, no Frobenius structure can exist. When a Frobenius structure does exist, typically the values of Φλ,0 are uniquely determined, up to a joint scalar multiplication, by the fact that they give rise to entries of F having bounded coefficients. This can be used as a mechanism for discovering the entries of Φλ,0 empirically without any prior knowledge; see [43] for some examples of this and [8] for a more comprehensive treatment. By contrast, in the case of hypergeometric equations, we will give a computable formula for the matrices Φλ,0 . (Since the entries are elements of Qp which are in general transcendental over Q, this means that for any fixed integer N , we can compute rational numbers which differ from the entries of Φλ,0 by values in pN Zp .) Remark 2.3.12. Keeping notation as in Remark 2.3.11, suppose that there exists a Frobenius structure Φ for which we have a computable formula for matrices Φλ,0 . The entries of Φ are elements of O(V ); this ring is a certain completion of O(X) contained in the p-adic completion. We may thus represent the entries of Φ as sums of the form ∞ ci (P (z) ∈ Qp [z ± ], ci ∈ Qp , lim ci = 0) P (z) + i i→∞ Q(z) i=1 where Q(z) is the monic polynomial with simple zeroes at Z \ {0, ∞}. (In the case of hypergeometric equations, we will have Q(z) = z − 1.) In order to obtain a representation of Φ which is accurate to some prescribed padic accuracy, we need an effective bound on the decay rate of the ci ; this amounts to identifying a choice of the subspace V and a bound on Φ over V . In the case where the points of Z have pairwise distinct images under specialization, this can be done by studying the effect of changing the Frobenius lift (Remark 2.3.7). 3. Hypergeometric equations and the GKZ construction We now describe the generalized hypergeometric equation that we consider, the Gelfand–Kapranov–Zelevinsky construction of A-hypergeometric systems, and how the two are related.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
FROBENIUS STRUCTURES ON HYPERGEOMETRIC EQUATIONS
139
3.1. Hypergeometric differential equations. d on the field K(z) Definition 3.1.1. Define the differential operator D := z dz as in Definition 2.2.1. The generalized hypergeometric equation with parameters in K given by α; β = α1 , . . . , αm ; β1 , . . . , βn
is the linear differential equation of the form (3.1.1.1)
P (α; β)(y) = 0,
P (α; β) := z
m %
(D + αi ) −
i=1
n %
(D + βj − 1).
j=1
(We conflate this equation with the equivalent equation in terms of the operator d dz , which is somewhat less compact to express.) The case m = n = 2 recovers the classical (Gaussian) hypergeometric equation. We will primarily be interested in the case K = Q, but in this section we treat the case K = C following Beukers– Heckman [5]. Remark 3.1.2. Under the substitution z → (−1)m−n z −1 , solutions of (3.1.1.1) correspond to solutions of P (α ; β )(y) = 0 for α ; β := 1 − β1 , . . . , 1 − βn ; 1 − α1 , . . . , 1 − αm . Remark 3.1.3. As in [5, Proposition 2.3], one has (D + δ − 1)P (α; β) = P (α, δ; β, δ) P (α; β)(D + δ) = P (α, δ; β, δ + 1). As per [5, Corollary 2.4], it follows that for i = 1, . . . , m and j = 1, . . . , n, P (α; β)(D + αi − 1) = (D + αi − 1)P (α1 , . . . , αi − 1, . . . , αm ; β1 , . . . , βn ) (D + βj − 1)P (α; β) = P (α1 , . . . , αm ; β1 , . . . , βj − 1, . . . , βn )(D + βj ). This has the consequence that for all practical purposes, the analysis of the hypergeometric equation is insensitive to integer shifts in the parameters. In particular, there is no real loss of generality in normalizing the parameters so that 0 ≤ Re(α1 ) ≤ · · · ≤ Re(αm ) < 1,
0 ≤ Re(β1 ) ≤ · · · ≤ Re(βn ) < 1;
this will become convenient when we start manipulating series solutions of (3.1.1.1). Remark 3.1.4. For n = 1, (3.1.1.1) becomes (z − 1)D + (z − 1)(1 − β1 ) + z(α1 − β1 + 1) = 0 with formal solutions y = cz 1−β1 (z − 1)α1 −β1 +1 . We next recall the explicit description of formal solutions of (3.1.1.1) at z = 0. The formal solutions at z = ∞ may be described similarly by interchanging the roles of the α and the β. The formal solutions at z = 1 behave somewhat differently; see [5, Proposition 2.8]. Definition 3.1.5. For n a nonnegative integer, define the rising Pochhammer symbol (α)n := α(α + 1) · · · (α + n − 1).
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
140
KIRAN S. KEDLAYA
Define the Clausen–Thomae hypergeometric series ∞ α1 , . . . , αm (α1 )k · · · (αm )k z k := z . F m n−1 β1 , . . . , βn−1 (β1 )k · · · (βn−1 )k k! k=0
The case m = n = 3 was first considered by Clausen [12]; the general case was first considered by Thomae [42]. Proposition 3.1.6. In (3.1.1.1), suppose that βn = 1 (so that (βn )k = k!) and that no βi is a nonpositive integer (which is to say that (βi )k = 0 for all k ≥ 0). Then α1 , . . . , αm z m Fn−1 β1 , . . . , βn−1 is a solution of (3.1.1.1) in Cz. Proof. This may be seen by a direct calculation: applying the operator z(D + α1 ) · · · (D + αm ) to the given series yields ∞ (α1 )k+1 · · · (αm )k+1 z k+1 k=0
(β1 )k · · · (βn−1 )k
k!
while applying (D + β1 − 1) · · · (D + βn − 1) = (D + β1 − 1) · · · (D + βn−1 − 1)D yields the equivalent expression ∞ k=0
(α1 )k · · · (αm )k kz k . (β1 )k−1 · · · (βn−1 )k−1 k!
Corollary 3.1.7. In (3.1.1.1), suppose that m ≤ n and that β1 , . . . , βn ∈ Q are pairwise distinct modulo Z. Then the sums (3.1.7.1) α1 − βi + 1, . . . , αm − βi + 1 1−βi z z (i = 1, . . . , n) m Fn−1 β1 − βi + 1, . . . , βi − βi + 1, . . . , βn − βi + 1 2∞ form a C-basis of the solutions of (3.1.1.1) in the Puiseux field l=1 C((z 1/l )). By formally differentiating with respect to parameters, we see what happens when some of the β’s come together modulo Z. Corollary 3.1.8. In (3.1.1.1), suppose that no two of β1 , . . . , βn ∈ Q differ by a nonzero integer (e.g., because they all belong to [0, 1)). For each β ∈ {β1 , . . . , βn } occurring with multiplicity μ, for = 1, . . . , μ − 1, consider the sums (3.1.8.1) j ∞ j!(log z)j−i i (α1 − β + 1 + )k · · · (αm − β + 1 + )k 1−β [ ] zk z (j − i)! (β − β + 1 + ) · · · (β − β + 1 + ) 1 k n k i=0 k=0
where [ ](∗) means the coefficient of i of the expansion of ∗ as a formal power series These then form a C-basis of the solutions of (3.1.1.1) in the ring 2∞ in .1/m ))[log z]. m=1 C((z i
Proof. For i = 0, Proposition 3.1.6 implies that (3.1.8.1) is a solution for = 0. We obtain μ − 1 additional linearly independent solutions by formally differentiating with respect to −β; noting that the derivative of z 1−β with respect to −β is (log z)z 1−β , we obtain the claimed formula.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
FROBENIUS STRUCTURES ON HYPERGEOMETRIC EQUATIONS
141
Corollary 3.1.9. In (3.1.1.1), suppose that β1 , . . . , βn ∈ Q and 0 ≤ β1 ≤ · · · ≤ βn < 1. Let i1 < · · · < il be the sequence of indices i ∈ {1, . . . , n} for which either i = 1, or i > 1 and βi−1 < βi . For h = 1, . . . , l, let μh denote the multiplicity of βih (so that μj = ih+1 − ih if h < l and n + 1 − ih otherwise). Define the series f1 , . . . , fn ∈ Cz by the following formula: for h = 1, . . . , l and j = 0, . . . , μh − 1, ∞ 1 j (α1 − β + 1 + )k · · · (αm − β + 1 + )k fih +j := [ ] zk . j! (β1 − β + 1 + )k · · · (βn − β + 1 + )k k=0
Let U be the matrix over Cz given by the following formula: for h = 1, . . . , l; i = 1, . . . , n; j = 0, . . . , μh − 1, Ui(ih +j) =
j k=max{0,j−i+1}
j!(i − 1)! (D + 1 − βih )i−1−j+k (fih +k ). k!(j − k)!(i − 1 − j + k)!
Then U is invertible and NU is a block matrix with block lengths μ1 , . . . , μm in which ⎧ ⎪ ⎨ β ih − 1 i = j (NU )(ih +i)(ih +j) = −j (h = 1, . . . , m; 0 ≤ i, j ≤ μh − 1). j =i+1 ⎪ ⎩ 0 otherwise Proof. In the ring C((z))[log z], we may define the elements g1 , . . . , gn so that for h = 1, . . . , m, j = 0, . . . , μh − 1, the series gih +j is given by (3.1.8.1) for β = βih , omitting the factor of z 1−β . Define the invertible n × n matrix V over C((z))[log z] by setting Vij = (D + 1 − βj )i−1 (gj ); then NV is the diagonal matrix with entries β1 − 1, . . . , βn − 1. By construction, we have j j (log z)k fih +j−k gih +j = (j = 0, . . . , μh − 1); k k=0
consequently, for i = 1, . . . , n we have j j i−1 (D + 1 − βih ) (gih +j ) = (D + 1 − βih )i−1 ((log z)l fih +j−l ) l l=0 j j j = ∗(D+1−βih )i−1−l+j−k (fih +j−l ), (log z)j−k k k=0
∗=
l=j−k
k!(i − 1)! . (j − l)!(l − j + k)!(i − 1 − l + j − k)!
That is, we have V = U W where W is the block matrix with block lengths μ1 , . . . , μm in which j (log z)j−i (0 ≤ i, j ≤ μh − 1); W(ih +i)(ih +j) = i it follows that NU = W NV W −1 + W D(W −1 ). Since each block of NV is a scalar matrix, we have W NV W −1 = NV ; meanwhile, an elementary computation shows that the h-th block of W D(W −1 ) is nilpotent with superdiagonal entries −1, −2, . . . , −μh + 1.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
142
KIRAN S. KEDLAYA
We recall the local structure of the singularities of (3.1.1.1) in the case m = n. Proposition 3.1.10. For m = n, the equation (3.1.1.1) is regular with singularities at 0, 1, ∞ having local exponents as follows: 1 − β1 , . . . , 1 − βn α1 , . . . , αn
z=0: z=∞:
0, . . . , n − 2, γ,
z=1:
γ :=
n
βi −
i=1
n
αi .
i=1
Proof. See [5, §2].
Although we will not use this overtly, for context we recall the explicit description of the monodromy representation of (3.1.1.1). Proposition 3.1.11. Suppose that m = n and that αi − βj ∈ / Z for i, j = 1, . . . , n. (a) Put ai := exp(2πiαi ), bi := exp(2πiβi ) and define the polynomials n %
(T − ai ) = T n + A1 T n−1 + · · · + An ,
i=1
n %
(T − bi ) = T n + B1 T n−1 + · · · + Bn .
i=1
Then in a suitable basis (see Remark 3.1.12), the local monodromy operators (3.1.1.1) may taken to be ⎛ 0 ⎜1 ⎜ A := ⎜ . ⎝ .. 0
h0 := B −1 , 0 ··· 0 ··· .. . 0 ···
h1 := A−1 B, h∞ := A ∈ GLn (C), ⎛ ⎞ ⎞ 0 0 ··· 0 −Bn 0 −An ⎜1 0 · · · 0 −Bn−1 ⎟ 0 −An−1 ⎟ ⎜ ⎟ ⎟ B := ⎜ . .. ⎟ , .. ⎟ . .. ⎝ .. . . ⎠ . ⎠ 1 −A1 0 0 ··· 1 −B1
(b) The representation described in (a) is irreducible. (c) The matrix h1 is a complex reflection with special eigenvalue c := exp(2πiγ), meaning that h1 − 1 has rank 1. Proof. Part (a) is a theorem of Levelt [5, Theorem 3.5]. Parts (b) and (c) are immediate corollaries; see [5, Proposition 3.3] for (b) and [5, Proposition 2.10] for (c). Remark 3.1.12. In Proposition 3.1.11, if one further assumes that the αi and βj are all distinct mod Z, one can make the choice of a “suitable basis” quite explicit in terms of the local solutions given by Corollary 3.1.7. This was originally shown by Golyshev–Mellit [23]. Remark 3.1.13. In case m = n, the local structure of the singularities of (3.1.1.1) is rather different; to simplify notation, we assume that m < n. In this case, (3.1.1.1) is of order n and its local monodromy at 0 is as described above; however, we no longer have a singularity at z = 1, and the singularity at z = ∞ is now irregular. This can be understood in terms of confluence, where the regular singularities at 1 and ∞ have coalesced into an irregular singularity upon degeneration of one of the parameters. To make this more explicit, consider the one-parameter family of hypergeometric equations P (α1 , . . . , αm , 1/t, . . . , 1/t; β1 , . . . , βn )
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
FROBENIUS STRUCTURES ON HYPERGEOMETRIC EQUATIONS
143
indexed by a parameter t. This is equivalent via the substitution z → tn−m z to the equation m n n % % % (D + αi ) (tD + 1) − (D + βj − 1) z i=1
i=m+1
with a regular singularity at z = t P (α1 , . . . , αm ; β1 , . . . , βn ).
m−n
j=1
. Taking the limit as t → 0 yields the operator
3.2. The GKZ interpretation. In preparation for adopting the point of view of Dwork [16], we recall the description of the hypergeometric equation (3.1.1.1) in terms of a GKZ (Gelfand–Kapranov–Zelevinsky) A-hypergeometric system, following [18] (see also [1], [10, §1.4], and [9, §2]). We begin by rewriting the hypergeometric equation to simplify the dependence on the parameters α, β at the expense of replacing the original series with a function of multiple variables. (Warning: the use of the letter Φ here has nothing to do with the Frobenius intertwiners discussed in §2.3.) Lemma 3.2.1. Consider a function Φ(x, y) of indeterminates x = x1 , . . . , xm and y = y1 , . . . , yn . (For the moment, we leave it unspecified what sort of function we have in mind.) (a) The function Φ is annihilated by the operators (3.2.1.1)
xj
∂ ∂ + yk + αj − βk + 1 ∂xj ∂yk
(j = 1, . . . , m; k = 1, . . . , n)
if and only if there exists a univariate function f (z) such that (3.2.1.2)
−1 1 m β1 −1 · · · x−α y1 · · · ynβn −1 f ((−1)m x−1 Φ(x, y) = x−α m 1 · · · xm y1 · · · yn ). 1
(b) For Φ, f satisfying (3.2.1.2), Φ is annihilated by the operator m n % % ∂ ∂ − . ∂x ∂y j j j=1 j=1
(3.2.1.3)
if and only if f is a solution of the hypergeometric equation (3.1.1.1). −1 Proof. For Φ as in (3.2.1.2) and z = (−1)m x−1 1 · · · xm y1 · · · yn , we have
(3.2.1.4) (3.2.1.5)
∂ (Φ)(x, y) = ((−D − αj )(f ))(z) ∂xj ∂ yj (Φ)(x, y) = ((D + βj − 1)(f ))(z). ∂yj
xj
In particular, any such Φ satisfies (3.2.1.1). Conversely, to check that any Φ satisfying (3.2.1.1) satisfies (3.2.1.2) for some f , we may formally reduce to the case where αi = 0, βi = 1 for all i. In this case, (3.2.1.1) implies that Φ remains constant under any substitution of the form xj → cxj ,
yk → cyk
(for some j, k, with the other variables left unchanged); consequently, (3.2.1.2) holds for f (z) := Φ(1, . . . , 1, (−1)m z). This proves (a).
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
144
KIRAN S. KEDLAYA
For z as above, the operator (3.2.1.3) may be rewritten as ⎛ ⎞ % m n % ∂ ∂ ⎠. y1−1 · · · yn−1 ⎝z −xj − yj ∂x ∂y j j j=1 j=1 This makes it clear that from (3.2.1.4), (3.2.1.5), we immediately deduce (b).
Corollary 3.2.2. Suppose that β1 , . . . , βn are pairwise distinct modulo Z. In terms of the indeterminates x, y = x1 , . . . , xm , y1 , . . . , yn , for i = 1, . . . , n define (formally) α1 − βi + 1, . . . , αm − βi + 1 1−βi z fi (z) := z m Fn−1 β1 − βi + 1, . . . , βi − βi + 1, . . . , βn − βi + 1 −1 1 m β1 −1 · · · x−α y1 · · · ynβn −1 fi ((−1)m x−1 Φi (x, y) := x−α m 1 · · · xm y1 · · · yn ). 1
Then Φ1 , . . . , Φn are all annihilated by the operators (3.2.1.1) and (3.2.1.3). Proof. Combine Lemma 3.2.1 with Corollary 3.1.7.
Definition 3.2.3. For m a positive integer, let Wm := Cx1 , . . . , xm , ∂1 , . . . , ∂m denote the Weyl algebra, i.e., the quotient of the noncommutative polynomial algebra in x1 , . . . , xm , ∂1 , . . . , ∂m by the two-sided ideal generated by xi xj − xj xi , ∂i ∂j − ∂j ∂i , ∂i xi − xi ∂i − 1
(i, j = 1, . . . , m).
We write θi as shorthand for xi ∂i . For d a nonnegative integer, let A be a d × m matrix over Z. (In the notation of [1, §2], our d is n therein, our m is N therein, and the columns of A correspond to the lattice points therein.) The toric ideal associated to A is the ideal IA = {∂ u − ∂ v : u, v ∈ Zm ≥0 , Au = Av} ⊆ C[∂1 , . . . , ∂m ]. For δ ∈ Cd a column vector, for i = 1, . . . , d we may define an Euler operator Ai1 θ1 + · · · + Aim θm − δi ∈ Wm . The GKZ ideal (or hypergeometric ideal) defined by A and δ is the left ideal JA,δ of Wm generated by IA and the Euler operators. Example 3.2.4. Define the (m + n − 1) × (m + n) matrix A over Z by the block expression 0 1 Im ; A= 0 −In−1 1 the toric ideal is generated by ∂1 · · · ∂m − ∂m+1 · · · ∂m+n . Let δ ∈ Cm+n be the column vector (α1 − βn + 1, . . . , αm − βn + 1, β1 − βn , . . . , βn−1 − βn ); the Euler operators then have the form θj + θm+n + αj − βn + 1 (j = 1, . . . , m) −θm+j + θm+n + βj − βn
(j = 1, . . . , n − 1).
By Lemma 3.2.1, the formula (3.2.4.1) −1 n −1 1 m β1 −1 · · · x−α xm+1 · · · xβm+n f ((−1)m x−1 Φ(x1 , . . . , xm+n ) = x−α m 1 · · · xm xm+1 · · · xm+n ) 1
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
FROBENIUS STRUCTURES ON HYPERGEOMETRIC EQUATIONS
145
defines a bijection between the functions f (z) satisfying (3.1.1.1) and the functions Φ(x1 , . . . , xm+n ) annihilated by JA,δ . It will be useful to also have a symmetric variant of Example 3.2.4. Example 3.2.5. Define an mn × (m + n) matrix A over Z, using the index set {1, . . . , m} × {1, . . . , n} in place of {1, . . . , mn}, by 1 j ∈ {i1 , m + i2 } A(i1 ,i2 )j = 0 otherwise. and a column vector δ ∈ Cmn by δ(i1 ,i2 ) = αi1 − βi2 + 1. The Euler operators then have the form θi1 + θi2 + αi1 − βi2 + 1 (i1 = 1, . . . , m; i2 = 1, . . . , n). This GKZ system is isomorphic to the previous one, in a sense to be made explicit in §3.4. Remark 3.2.6. Let d , m be two more positive integers, let A be a d × m matrix over Z, and let δ ∈ Cd . We then have a canonical isomorphism of C-vector spaces Wm /JA,δ ⊗C Wm /JA ,δ ∼ = Wm+m /JA⊕A ,δ⊕δ which promotes to an isomorphism of left Wm+m -modules if we identify the variables of Wm with the variables xm+1 , . . . , xm+m , ∂m+1 , . . . , ∂m+m of Wm+m . Remark 3.2.7. In Example 3.2.4, if we drop the last column, the toric ideal becomes the zero ideal. In this case, the functions annihilated by JA,δ are just βn−1 −βn m +βn −1 β1 −βn the constant multiples of x1−α1 +βn −1 · · · x−α xm+1 · · · xm+n−1 ; this can m be viewed as an instance of the product construction described in Remark 3.2.6. Remark 3.2.8. A comment related to Remark 3.2.7 is that the definition of a GKZ system in Example 3.2.4 is insensitive to an overall translation αi → αi + c,
βi → βi + c;
the value of c only appears in the comparison with the hypergeometric equation in (3.2.4.1) (and specifically in the exponents of the leading powers). 3.3. Dwork’s exponential module. Returning to the general GKZ setup, we now introduce Dwork’s construction of the exponential module (compare [17, §4]). Definition 3.3.1. Retain notation as in Definition 3.2.3. Let RA be the CA A subalgebra of C[X1± , . . . , Xd± ] generated by the monomials X (j) := X1 1j · · · Xd dj for j = 1, . . . , m. Define also RA [x] := RA [x1 , . . . , xm ]. Define the element gA := λ
m
xj X (j) ∈ RA [x].
j=1
(In the original construction one takes λ = 1; since we can absorb λ by rescaling xj there is no extra generality in varying λ, but this will be convenient for the construction of Frobenius structures.)
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
146
KIRAN S. KEDLAYA
There are obvious “natural” actions of the derivations ∂ ∂ Θ1 , . . . , Θd := X1 , . . . , Xd ∂1 , . . . , ∂m , ∂X1 ∂Xd on RA [x] (but not
∂ ∂Xi
in general). Define the twisted operators
∂A,j := ∂j + ∂j (gA ) = ∂j + λxj X (j) DA,δ,i := Θi + Θi (gA ) + δi = Xi
m ∂ + δi + λ Aij xj X (j) . ∂Xi j=1
We give RA [x] the structure of a left Wm -module by specifying that ∂j acts via ∂A,j . Remark 3.3.2. In the setting of Example 3.2.4, we have −1 gA = λ(x1 X1 + · · · + xm Xm + xm+1 Xm+1 + ··· −1 + xm+n−1 Xm+n−1 + xm+n X1 · · · Xm+n−1 )
∂ + λxi Xi + λxm+n X1 · · · Xm+n−1 + αi − βn + 1 ∂Xi ∂ DA,δ,i = Xi − λxi Xi−1 + λxm+n X1 · · · Xm+n−1 + βi−m − βn . ∂Xi where the second and third equations are for i = 1, . . . , m and i = m + 1, . . . , m + n − 1 respectively. DA,δ,i = Xi
Lemma 3.3.3. The formula x1 → x1 , . . . , xm → xm , ∂1 → X (1) , . . . , ∂m → X (m) defines a surjective homomorphism φ : Wm → RA [x] of left Wm -modules (for the exotic module structure on RA [x] from Definition 3.3.1) which induces the following isomorphisms of left Wm -modules: Wm /Wm IA ∼ = RA [x] Wm /JA,δ ∼ = RA [x]/
d
DA,δ,i RA [x].
i=1
Proof. See [1, Theorem 4.4]. (Compare also [18, Theorem 6.8] and [16, Corollary 11.1.3].) Remark 3.3.4. Even beyond the setting of Example 3.2.4, one can give a good “toric” description of Wm /JA,δ . As this is not necessary for our purposes, we defer to [1] for details. 3.4. Morphisms of A-hypergeometric systems.
Definition 3.4.1. Let A be a d × m matrix over Z and let δ ∈ Cd be a column vector. By a morphism from the GKZ hypergeometric system with parameters (A, δ) to the GKZ hypergeometric system with parameters (A , δ ), we will mean a homomorphism ψ : RA [x] → RA [x] of C-modules which induces a homomorphism ψ : RA [x]/
d i=1
DA,δ,i RA [x] → RA [x]/
d
DA ,δ ,i RA [x].
i =1
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
FROBENIUS STRUCTURES ON HYPERGEOMETRIC EQUATIONS
147
In order to make this meaningful, we must also have some compatibility with the ∂j ; we will describe this on a case-by-case basis. Construction 3.4.2. Let B be a d × d matrix over Z and let B be a d × d matrix over Z satisfying BA = A ,
B A = A,
Bδ = δ ,
B δ = δ.
Consider the C-linear ring homomorphisms ψ : RA [x] → RA [x], ψ : RA [x] → RA [x] of C-modules given by
ψ : xj → xj ,
d %
Xi →
B
Xi i i ,
i =1
ψ : xj → xj ,
Xi →
d %
Bii
Xi
.
i=1
These satisfy the following identities: ψ ◦ ψ = idRA [x] ,
ψ ◦ ψ = idRA [x] ,
ψ(gA ) = gA , DA ,δ ,i ◦ ψ =
ψ (gA ) = A, Bi i ψ ◦ DA,δ,i ,
i
DA,δ,i ◦ ψ =
Bii ψ ◦ DA ,δ ,i .
i
Consequently, ψ and ψ define morphisms (A, δ) → (A , δ ), (A , δ ) → (A, δ) which are inverses of each other and manifestly commute with ∂1 , . . . , ∂m . Example 3.4.3. In Example 3.2.5, we have obvious isomorphisms as in Construction 3.4.2 corresponding to the permutations of α1 , . . . , αn and of β1 , . . . , βn ; however, these are not automorphisms because they change δ. We may similarly construct an isomorphism effecting the interchange of parameters from Remark 3.1.2. Example 3.4.4. We construct an isomorphism, in the sense of Construction 3.4.2, between the minimal GKZ system corresponding to a hypergeometric equation (Example 3.2.4) and the more symmetric version (Example 3.2.5). This uses the matrices ⎧ ⎧ (i1 , i2 ) = (i, n) ⎪1 ⎪ ⎪ ⎪ i = i1 ⎨1 ⎨1 (i1 , i2 ) = (i − m, n) = B(i1 ,i2 )i = −1 i = m + i2 Bi(i 1 ,i2 ) ⎪ ⎪ −1 (i1 , i2 ) = (i − m, i − m) ⎩ ⎪ ⎪ 0 otherwise. ⎩ 0 otherwise. Construction 3.4.5. Let T ∈ Zd be a vector in the column span of A and put A := A, δ := δ − T . Let ψ : RA [x] → RA [x] be the map given by multiplication by X1T1 · · · XdTd ; it satisfies
DA ,δ ,i ◦ ψ = ψ ◦ DA,δ,i
(i = 1, . . . , d)
and therefore defines a morphism (A, δ) → (A , δ ) which manifestly commutes with ∂1 , . . . , ∂m .
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
148
KIRAN S. KEDLAYA
We now consider some cases where the interaction with ∂1 , . . . , ∂m is a bit more subtle. Construction 3.4.6. Let A be the d × (m − 1) matrix obtained from A by omitting the last column, and put δ := δ. The ring homomorphism ψ : RA [x] → RA [x] specializing xm to 0 then satisfies DA ,δ,i ◦ ψ = ψ ◦ DA,δ,i
(i = 1, . . . , d);
consequently, it defines a morphism (A, δ) → (A , δ ) which commutes with the operators ∂1 , . . . , ∂m−1 . This does not extend to ∂m because no such operator has been defined on RA [x]. Construction 3.4.7. Put A = A, δ := pδ, and consider the morphism ϕ : RA [x] → RA [x] given by the substitution xj → xpj , Xi → Xip . If we define h := λ
m
(xj X (j) − (xj X (j) )p ),
j=1
then (DA,pδ,i − Θi (h)) ◦ ϕ = pϕ ◦ DA,δ,i (xj ∂A,j − xj ∂j (h)) ◦ ϕ = pϕ ◦ (xj ∂A,j )
(i = 1, . . . , d) (j = 1, . . . , m).
Formally, this means that exp(h)ϕ is a morphism which defines a Frobenius intertwiner (because of the factor of p in the second relation). In the p-adic context, this becomes not merely formal because of the convergence properties of the Dwork exponential series (for a suitable choice of λ). Remark 3.4.8. Somewhat tangentially to our current discussion, we note that one could also make the Frobenius intertwiner nonformal by working over a base ring equipped with a topology in which λ, xj − 1, and Xi − 1 are small enough to make the series exp(h) convergent. This hints towards a potential connection with q-de Rham cohomology in the sense of Scholze [39] and prismatic cohomology in the sense of Bhatt–Scholze [6]. 4. Hypergeometric Frobenius intertwiners We now give our interpretation of Dwork’s construction of Frobenius intertwiners for hypergeometric equations, based on morphisms of A-hypergeometric systems. 4.1. Existence of Frobenius intertwiners. Definition 4.1.1. Fix a choice of π in an algebraic closure of Qp satisfying π p−1 = −p. Define the Dwork exponential series to be the series ∞ Eπ (t) := cj tj = exp(π(t − tp )); j=0
it has radius of convergence p
(p−1)/p2
> 1 [37, §VII.2.4].
Theorem 4.1.2 (Dwork). Let α; β and α , β be two sequences in Zp such that pα; pβ are congruent modulo Z to some permutations of α , β . Then over Qp (π), there exists a Frobenius intertwiner between the connections corresponding to P (α, β) and P (α , β ).
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
FROBENIUS STRUCTURES ON HYPERGEOMETRIC EQUATIONS
149
Proof. We construct the desired intertwiner as follows. • Take A, δ as in Example 3.2.5, then apply Construction 3.4.7 (taking λ there to be our chosen π) to replace α; β with pα; pβ. • Use Construction 3.4.5 to replace pα; pβ with a permutation of α ; β . • Use Example 3.4.3 to undo the permutation of α ; β . Note that the convergence property of the Dwork exponential is needed in the first step. Remark 4.1.3. In Theorem 4.1.2, if m = n and αi − βj ∈ / Z for all i, j, then we may combine Lemma 2.3.6 and Proposition 3.1.11 to deduce that the Frobenius intertwiner is unique up to scalar multiplication. On the other hand, we can resolve the ambiguity completely by observing that the construction given by Theorem 4.1.2 has the following properties. (a) In case α = α , β = β , the Frobenius intertwiner is the identity. (b) The construction of the Frobenius intertwiner is compatible (in a natural sense which we decline to notate) with permutations of each of α, β, α , β . (c) Suppose that (4.1.3.1)
αi = pαi + μi ,
βj = pαj + νj
(μi , νj ∈ Z).
Then the restriction of the Frobenius intertwiner to any fixed point of X varies p-adically continuously as we vary α, β while maintaining (4.1.3.1) and fixing μi , νj . Remark 4.1.4. For n = 2, an alternate construction of the Frobenius intertwiner has been given by Salinier [38] using rigidity; this has been generalized to all n by Vargas Montoya [44]. While this approach is technically simpler than Dwork’s method, the latter is more useful for our ultimate aim of making explicit computations. 4.2. Gamma factors and the Dwork exponential series. In order to make use of Construction 3.4.7, we recall the description due to Dwork1 [7], [15, §1] of the relationship between the Morita p-adic gamma function and Gauss sums provided by the Gross–Koblitz formula [25]. See Remark 5.1.2 for the geometric interpretation of this. Definition 4.2.1. Recall (or see [37, §VII.1.1]) that there exists a unique continuous function Γp : Zp → Z× p characterized by the properties (4.2.1.1) (4.2.1.2)
Γp (0) = 1 −x Γp (x + 1) = Γp (x) −1
x∈ / pZp x ∈ Zp .
This function is the Morita p-adic gamma function. Definition 4.2.2. For a, b ∈ Z(p) \ Z with pb − a = μ ∈ Z, Dwork defines the symbol γp (a, b) ∈ Qp (π) by the formula γp (a, b) = cpi+μ (b)i /(−π)i . i∈Z 1 The attribution is predicated on the fact that [7] was written by Dwork under the pseudonym Maurizio Boyarsky [31, p. 341, first sidebar].
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
150
KIRAN S. KEDLAYA
Equivalently, writing ψ(f )(x) =
1 f (x), p zp =x
we have (4.2.2.1)
ψ(xa−pb Eπ (x)) ≡ γp (a, b) mod
d + b + πx Qp (π)x. x dx
For fixed μ ∈ Z, using the series representation we may extend γp (pb − μ, b) to a continuous function of b ∈ Zp ; note that γp (0, 0) = 1. For s, t ∈ Z, we have the functional equation [15, (1.7)] (4.2.2.2)
γp (a + s, b + t) = γp (a, b)(−π)t−s
(a)s . (b)t
Theorem 4.2.3 (Dwork). For a, b ∈ Z(p) with pb − a = μ ∈ {0, . . . , p − 1}, we have γp (a, b) = π μ Γp (a). Proof. Using the above discussion, one checks that γ(a, b)/π μ satisfies the defining properties (4.2.1.1), (4.2.1.2) of Γp (a); this proves the claim. As indicated in [7], Theorem 4.2.3 can be viewed as an equivalent form of the Gross–Koblitz formula for Gauss sums [25]. In other words, we immediately compute the Frobenius intertwiners for hypergeometric equations of order 1. Corollary 4.2.4. Let {x} := x − !x" denote the fractional part of x. In the case m = n = 1,
α1 , α1 , β1 , β1 ∈ [0, 1),
α1 = β1 ,
for
μ = p(α1 − β1 ) − (α1 − β1 ) ∈ Z, the Frobenius interwiner of Theorem 4.1.2 is given by multiplication by γ(α1 −β1 +1, α1 −β1 +1) := π μ Γp ({α1 −β1 })×
1 α1 > β1 α1 − β1 α1 −β1 × −1 p α1 < β1
α1 > β1 α1 < β1
.
Proof. We first make some auxiliary calculations in order to prepare for the use of Theorem 4.2.3. Note that pα1 − α1 , pβ1 − β1 ∈ Z ∩ (−1, p) = {0, . . . , p − 1} and so
μ = (pα1 − α1 ) − (pβ1 − β1 ) ∈ {1 − p, . . . , p − 1}. If α1 > β1 , then we also have p(α1 − β1 ) ∈ (0, p), α1 − β1 ∈ (−1, 1) and so (4.2.4.1)
μ ∈ {1 − p, . . . , p − 1} ∩ (−1, p + 1) = {0, . . . , p − 1}.
Similarly, if α1 < β1 , then p(α1 − β1 ) ∈ (−p, 0), α1 − β1 ∈ (−1, 1) and so μ ∈ {1 − p, . . . , p − 1} ∩ (−p − 1, 1) = {1 − p, . . . , 0} and (4.2.4.2)
p(α1 − β1 + 1) − (α1 − β1 + 1) = (p − 1) + μ ∈ {0, . . . , p − 1}.
In particular, μ is either zero or has the same sign as α1 − β1 .
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
FROBENIUS STRUCTURES ON HYPERGEOMETRIC EQUATIONS
151
By (4.2.2.1) and (4.2.2.2), the Frobenius intertwiner is given by multiplication by
α1 − β1 . α1 − β1 In case α1 < β1 , we apply Theorem 4.2.3 and (4.2.4.2) to write γ(α1 − β1 + 1, α1 − β1 + 1) = γ(α1 − β1 , α1 − β1 )
γ(α1 − β1 + 1, α1 − β1 + 1) = π (p−1)+μ Γp (α1 − β1 + 1). In case α1 > β1 , we may apply Theorem 4.2.3 and (4.2.4.1) to write γ(α1 − β1 , α1 − β1 ) = π μ Γp (α1 − β1 ). We can thus write the intertwiner as α −β π μ α11 −β11 Γp (α1 − β1 ) (4.2.4.3) −pπ μ Γp (α1 − β1 + 1)
α1 > β1 α1 < β1 .
Now note that if α1 − β1 and α1 − β1 are of opposite sign, we cannot have μ = 0, and so we can rewrite (α1 − β1 )Γp (α1 − β1 ) as −Γp (α1 − β1 + 1) or vice versa. This yields the stated formula. 4.3. Specialization and factorization. Using the GKZ interpretation, we may immediately extend the previous computation to arbitrary rank. Hypothesis 4.3.1. Throughout §4.3, suppose that m ≤ n; αi , βj ∈ Z(p) ∩ [0, 1) for i, j = 1, . . . , n; and αi = βj for i, j = 1, . . . , n. Define αi := {pαi }, βj := {pβj }. Theorem 4.3.2. Suppose that k ∈ {1, . . . , n} is such that βj = βk for j = k. Then the matrix Φλ for λ = βk is the 1 × 1 scalar m % i=1
γ(αi − βk + 1, αi − βk + 1)
n %
γ(βj − βk + 1, βj − βk + 1)−1
j=1
(Note that the factor j = k contributes 1 to the product.) Proof. For ease of notation we treat only the case k = n. In this case, under the GKZ interpretation, we may read off Φλ by specializing xm+n to 0 via the morphism from Construction 3.4.6. In this case, as per Remark 3.2.7 we obtain the specified factorization. By combining Theorem 4.3.2 with Corollary 4.2.4, we get an explicit formula for the initial condition for the Frobenius intertwiner in the case where β1 , . . . , βn are pairwise distinct mod Z. Corollary 4.3.3. In addition to Hypothesis 4.3.1, suppose that β1 , . . . , βn are pairwise distinct. Consider the formal solution matrix obtained by multiplying the function (3.1.7.1) corresponding to βk by the scalar factor m (αi − βk )+ x x>0 i=1 n (4.3.3.1) , (x)+ := 1 x ≤ 0. j=1 (βj − βk )+ Define the zigzag function associated to α, β as the function Z : R → R given by Z(x) = #{i ∈ {1, . . . , m} : αi < x} − #{j ∈ {1, . . . , n} : βi < x}.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
152
KIRAN S. KEDLAYA
Then the sole entry of Φλ for λ = βk can be written as m Γp ({αi − βk }) Z(βk ) Z(βk ) c p μ ni=1 (−1) j=1 Γp ({βj − βk }) for c :=
n
(pαi − αi ) −
i=1
n
(pβj − βj ).
j=1
Remark 4.3.4. In Corollary 4.3.3, the factor μc does not depend on k. We may thus eliminate it at the expense that our normalization no longer matches that of Theorem 4.2.3. Remark 4.3.5. In applications, we will typically be interested in the case where, in addition to the conditions of Hypothesis 4.3.1, one has that m = n and α, β ⊂ Z(p) ∩ [0, 1) are Galois-stable, meaning that any two elements of Z(p) ∩ [0, 1) with the same denominator occur with the same multiplicity in α and β. These conditions ensure the existence of a family of hypergeometric motives with this hypergeometric equation as associated Picard–Fuchs equation. In this situation, a further renormalization beyond that of Remark 4.3.4 is sometimes warranted in order to ensure that the Frobenius structure correctly computes the characteristic polynomials of the p-Frobenius of the associated hypergeometric motives. This is achieved by taking the entry of Φλ to be m Γp ({αi − βk })/Γp (αi ) . (−1)Z(βk ) pZ(βk )−min{Z(β∗ )} ni=1 j=1 Γp ({βj − βk })/Γp (βj ) The net effect of the factors Γp (αi ) and Γp (βj ) is limited by the identity Γp (x)Γp (1 − x) = (−1)y , and its special case Γp
y ∈ {1, . . . , p},
2 −1 1 = 2 p
y≡x
(mod p)
(p = 2).
4.4. An example with repeated parameters. In lieu of extending Theorem 4.3.2 to the case where the βj are not all distinct (which would create some notational headaches), we sketch an example originally due to Shapiro [40, 41]. Example 4.4.1. Consider the case m = n = 4,
α; β =
1 2 3 4 , , , 5 5 5 5
; (1, 1, 1, 1).
This example is well-known; the corresponding hypergeometric equation is a Picard– Fuchs equation for the Dwork pencil of quintic threefolds. Assume p = 2, 5. (The restriction p = 5 is essential; the restriction p = 2 is probably not, but is made in [41].) For λ = 0, the matrix Φλ,0 is upper-triangular with eigenvalues 1, p, p2 , p3 . To compute the off-diagonal entries, we use p-adic interpolation: consider the statement of Corollary 4.3.3 for β = (1, 1 + , 1 + 2, 1 + 3),
:=
pn . 3pn + 1
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
FROBENIUS STRUCTURES ON HYPERGEOMETRIC EQUATIONS
153
For U the formal solution matrix, the matrix ΦU equals the diagonal matrix whose k-diagonal entry (for k = 0, . . . , 3) equals z (p−1)k (−p)k
Γp (−1/5 − k)Γp (−2/5 − k)Γp (−3/5 − k)Γp (−4/5 − k) . Γp (−k)Γp ((1 − k))Γp ((2 − k))Γp ((3 − k))
Using Definition 4.2.2 and Theorem 4.2.3, one may compute coefficients of the Taylor series for Γp (see for example [41, Proposition 3.1]); we may thus rewrite Φ0 truncated at 4 , and the formal solution matrix U truncated at 4 and z 4 . Taking the limit of Φ = U ΦU σ(U −1 ) as → 0+ , and using the relationship between derivatives of Γp and p-adic zeta values (e.g., see [11, Proposition 11.5.19]), one may recover Shapiro’s formula ⎛ ⎞ 3 1 0 0 252 (p3 − 1)ζp (3) ⎜0 p 0 ⎟ 0 ⎟. Φλ = ⎜ ⎝ 0 0 p2 ⎠ 0 3 0 0 0 p We leave further details to the interested reader. 5. Applications to computation of L-functions The formula of Dwork can be used as part of an efficient algorithm for computing Euler factors of L-functions associated to hypergeometric motives. We sketch this here. (In the case n = 2, an alternate approach has been described by Asakura [2].) 5.1. Hypergeometric motives. Definition 5.1.1. Suppose that m = n and that α, β ⊂ Q are both Galoisstable. Then there exists a family of motives H(α; β; t) over Q(t) which for t = {0, 1} is pure of dimension n and weight w = max(Z) − min(Z) − 1 where Z denotes the zigzag function defined in Corollary 4.3.3. For example, this motive can be found inside the family of varieties considered in [4]. If we specialize to a value of t in Q, then the motive H(α; β; t) has good reduction at all places of the number field Q(t) at which α1 , . . . , αn , β1 , . . . , βn have nonnegative valuation and t, t−1 , t − 1 have nonnegative valuation. An excluded prime is said to be wild if the first condition fails (note that this does not depend on t) and tame otherwise. Remark 5.1.2. When the Galois-stable condition holds and the βj are pairwise distinct, the specialization of H(α; β; t) at t = 0 is a CM motive, whose associated L-function is therefore given by certain Jacobi sums. The formula given in Corollary 4.3.3 can also be derived by applying the Gross-Koblitz formula to these Jacobi sums. When the βj are not pairwise distinct, the specialization of H(α; β; t) at t = 0 becomes a mixed motive, whose L-function then includes a contribution from extension classes. Again, it should be possible to make an explicit link with degenerations of Corollary 4.3.3; for example, in Example 4.4.1, the appearance of ζp (3) should be related via motivic considerations to a corresponding appearance of ζ(3) in mirror symmetry [35].
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
154
KIRAN S. KEDLAYA
Remark 5.1.3. We expect that there are corresponding families of motives associated to GKZ systems associated to parameters (A, δ) with δ ∈ Qd , under a suitable analogue of the Galois-stable condition: for each prime p for which δ ∈ Zd(p) , the GKZ system with parameters (A, pδ) should be isomorphic to the original one. Remark 5.1.4. The families H(α; β; t) and H(β; α; t−1 ) are isomorphic. This can be used in certain cases where one wants to make an asymmetric restriction on α and β, as in our computation of Frobenius structures. 5.2. The approach via trace formulas. Before describing the approach we have in mind, we describe an alternate approach for purposes of comparison. Remark 5.2.1. Suppose that t ∈ Q \ {0, 1} and p is a prime at which H(α; β; t) has good reduction. For f a positive integer, let Hpf be the trace of the f -th power of the p-Frobenius acting on H(α; β; t); note that this depends only on the residue of t modulo p. By combining [4] with the Gross-Koblitz formula, one can obtain a highly practical formula for Hpf ; this is a poorly documented result of Cohen– Rodriguez Villegas–Watkins, but the formula can be found in the documentation of the Magma package on hypergeometric motives: http://magma.maths.usyd.edu.au/magma/handbook/hypergeometric_motives. The same formula is also implemented in SageMath. 5.3. The approach via Frobenius structures. To simplify this discussion, we assume that β1 , . . . , βn are pairwise distinct. Recall that via Remark 5.1.4, we can swap α with β to achieve these conditions in some cases where it is not initially satisfied. Let N denote the companion matrix for the differential operator P (α, β). Let U denote the formal solution matrix obtained from the matrix U of Corollary 3.1.9 by multiplying its k-th column by the factor (4.3.3.1) for k = 1, . . . , n. By Theorem 4.2.3 and Corollary 4.3.3, there is a Frobenius structure on N with Φ = Φ0 σ(U −1 ), where Φ0 is the matrix with n Γp ({αk − βi })/Γp (αk ) 1−p+pβj (Φ0 )i,j = (−1)Z(βi ) pZ(βj )−min{Z(β∗ )} k=1 t n k=1 Γp ({βk − βi })/Γp (βk ) whenever βi ≡ pβj (mod Z) and (Φ0 )i,j = 0 otherwise. Note that this computation nominally takes place in Qp ((t)); in order to represent the elements of Φ as rigid analytic functions, we must multiply by a suitable power of t − 1, then truncate modulo suitable powers of p and t. One can then specialize t to any (p − 1)-st root of unity to obtain a matrix whose characteristic polynomial gives the Euler factor of H(α; β; p). (Beware that we have not yet checked that the scalar normalization is correct. One way to do this would be to use this formula to reprove the Beukers– Cohen–Mellit trace formula.) We have an experimental SageMath implementation of this algorithm, and have done numerous tests to confirm its agreement with Beukers–Cohen–Mellit (albeit without fixing the precision estimates; see below). See [33]. Remark 5.3.1. In order to make the previous algorithm rigorous, one must bound the p-adic and t-adic precision requirements. The power of t − 1 can be estimated using the method of [34]. This depends on estimating the p-adic valuation of Φ0 ; this appears to be controlled by the p-adic valuations of the differences αk −βi and βk −βi . In any case, it appears that for a fixed p-adic truncation (which suffices
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
FROBENIUS STRUCTURES ON HYPERGEOMETRIC EQUATIONS
155
for the computation of Euler factors), the power of t − 1 is bounded independently of p; this means that the t-adic truncation can be bounded by cp for some constant c independently of p. This has the following consequences for an average polynomial time algorithm. One is trying to evaluate the entries of the matrix (t − 1)e U Φ0 σ(U −1 ), modulo some fixed power of p; they look like polynomial of degree bounded by cp where c is independent of p. This means that for the purposes of evaluation σ(U −1 ), we need only a constant number of terms of U −1 ; these coefficients are moreover rational numbers with no dependence at all on p. We may thus frame the problem as that of computing, for various primes p, a certain Q-linear combination of coefficients of terms of U of the form tap+b for certain fixed pairs (a, b), then reducing the result modulo a fixed power of p. 5.4. Comparison of approaches. When comparing the relative efficacy of the trace formula and Frobenius structures, it is important to separate different use cases in which the relative strengths of the approaches play different roles. In the following discussion, we mostly ignore constants and logarithmic factors. Remark 5.4.1. Suppose we wish to compute Hp (α; β; t) for a single choice of α, β, t and a single prime p. Both approaches have complexity linear in p; however, the trace formula carries less overhead in this context and thus is preferable in practice. Moreover, if one repeats the computation for the same p and different values of α, β, one can cache the Mahler expansion of Γp for additional savings. Remark 5.4.2. Suppose we fix α, β, p, and wish to compute either Hp (α; β; t) for all values of t (or equivalently, for t ∈ {2, . . . , p − 1}). In this case, the trace formula can be computed as a polynomial in a variable (running over (p − 1)-st roots of unity); alternatively, the Frobenius structure can be computed and then specialized repeatedly. Remark 5.4.3. Suppose we wish to compute the full Euler factor of the Lfunction associated to H(α; β; t) at a prime p. In this case, the trace formula approach requires computing Hpf (α; β; t) for f ranging from 1 to half the degree of the associated L-function; the formula is a sum over pf − 1 terms. By contrast, the Frobenius structure computation gives the entire Euler factor at once, with complexity linearly in p. Remark 5.4.4. Suppose we wish to compute the first X Dirichlet coefficients of the L-function associated to H(α; β; t); this is the relevant use case when making numerical computations with the L-function. Using the trace formula directly scales quadratically in X; however, it should be possible to develop an average polynomial time algorithm in the sense of Harvey [26, 27] (see also [28, 29]). A partial result has been given by Costa–Kedlaya–Roe [13], who compute Hp (α; β; t) (mod p) for all primes p ≤ X with complexity linear in X. As remarked upon in [13], it should be possible to adapt this approach to compute Hp (α; β; t) exactly for all primes p ≤ X with similar complexity. It is less clear how to include higher prime powers into this approach. However, one can use Frobenius structures to circumvent this difficulty, by directly computing full Euler factors for all primes p ≤ X 1/2 , then using these to recover Hpf (α; β; t)
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
156
KIRAN S. KEDLAYA
for all prime powers pf ≤ X with f > 1. Since this involves O(X 1/2 ) computations each of complexity linear in X 1/2 , this does not dominate the computation of prime Dirichlet coefficients. Remark 5.4.5. Suppose we wish to compute the full Euler factors of the Lfunction associated to H(α; β; t) at all primes p ≤ X; this is the relevant use case when studying statistical properties of the Euler factors (e.g., the generalized SatoTate conjecture). In this case, it should be possible (and relatively straightforward) to give an average polynomial time computation using Frobenius structures; however, we do not develop this point further here. 6. Towards A-hypergeometric motives In this paper, we have used only a restricted form of the theory of A-hypergeometric systems. However, it is likely that the circle of ideas giving rise to hypergeometric motives and L-functions can be extended beyond this special case; this question was posed at the end of the introduction of [13]. We record here some references that point towards such an extension. The story of hypergeometric motives begins with Greene’s construction of finite hypergeometric sums [24]. This was generalized to A-hypergeometric systems by Gelfand–Graev [21]. Greene’s sums were reinterpreted in terms of -adic cohomology by Katz [30]. This interpretation was extended to the Gelfand–Graev construction by Lei Fu [19]. The p-adic construction described in this paper has been generalized by Fu– Wan–Zhang [20]. However, we know of no analogue of the Beukers–Cohen–Mellit construction. References [1] Alan Adolphson, Hypergeometric functions and rings generated by monomials, Duke Math. J. 73 (1994), no. 2, 269–290, DOI 10.1215/S0012-7094-94-07313-4. MR1262208 [2] M. Asakura, An algorithm of computing special values of Dwork’s p-adic hypergeometric functions in polynomial time, arXiv:1909.02700v3, 2020. [3] Francesco Baldassarri, Continuity of the radius of convergence of differential equations on p-adic analytic curves, Invent. Math. 182 (2010), no. 3, 513–584, DOI 10.1007/s00222-0100266-7. MR2737705 [4] Frits Beukers, Henri Cohen, and Anton Mellit, Finite hypergeometric functions, Pure Appl. Math. Q. 11 (2015), no. 4, 559–589, DOI 10.4310/PAMQ.2015.v11.n4.a2. MR3613122 [5] F. Beukers and G. Heckman, Monodromy for the hypergeometric function n Fn−1 , Invent. Math. 95 (1989), no. 2, 325–354, DOI 10.1007/BF01393900. MR974906 [6] B. Bhatt and P. Scholze, Prisms and prismatic cohomology, arXiv:1905.08229v3, 2021. [7] Maurizio Boyarsky, p-adic gamma functions and Dwork cohomology, Trans. Amer. Math. Soc. 257 (1980), no. 2, 359–369, DOI 10.2307/1998301. MR552263 [8] P. Candelas, X. de la Ossa, and D. van Straten, Local zeta functions from Calabi–Yau differential equations, arXiv:2104.07816v1, 2021. [9] Alberto Casta˜ no Dom´ınguez and Christian Sevenheck, Irregular Hodge filtration of some confluent hypergeometric systems, J. Inst. Math. Jussieu 20 (2021), no. 2, 627–668, DOI 10.1017/S1474748019000288. MR4223435 [10] E. Cattani, Three lectures on hypergeometric functions, https://people.math.umass.edu/ ~cattani/hypergeom_lectures.pdf. [11] Henri Cohen, Number theory. Vol. II. Analytic and modern tools, Graduate Texts in Mathematics, vol. 240, Springer, New York, 2007. MR2312338 [12] Th. Clausen, Ueber die F¨ alle, wenn die Reihe von der Form y =1+
α.α + 1 β.β + 1 2 α β · x+ · x + etc. 1 γ 1.2 γ·γ+1
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
FROBENIUS STRUCTURES ON HYPERGEOMETRIC EQUATIONS
157
ein Quadrat von der Form z =1+
[13]
[14]
[15] [16]
[17] [18] [19] [20] [21] [22]
[23] [24] [25] [26] [27] [28]
[29]
[30]
[31] [32]
[33]
α .α + 1 β .β + 1 δ .δ + 1 2 α β δ · x+ · · · x + etc. 1 γ 1.2 γ · γ + 1 . + 1
hat (German), J. Reine Angew. Math. 3 (1828), 89–91, DOI 10.1515/crll.1828.3.89. MR1577682 Edgar Costa, Kiran S. Kedlaya, and David Roe, Hypergeometric L-functions in average polynomial time, ANTS XIV—Proceedings of the Fourteenth Algorithmic Number Theory Symposium, Open Book Ser., vol. 4, Math. Sci. Publ., Berkeley, CA, 2020, pp. 143–159, DOI 10.2140/obs.2020.4.143. MR4235111 B. Dwork, On the uniqueness of Frobenius operator on differential equations, Algebraic number theory, Adv. Stud. Pure Math., vol. 17, Academic Press, Boston, MA, 1989, pp. 89–96, DOI 10.2969/aspm/01710089. MR1097612 Bernard Dwork, On the Boyarsky principle, Amer. J. Math. 105 (1983), no. 1, 115–156, DOI 10.2307/2374383. MR692108 Bernard Dwork, Generalized hypergeometric functions, Oxford Mathematical Monographs, The Clarendon Press, Oxford University Press, New York, 1990. Oxford Science Publications. MR1085482 B. Dwork, Cohomological interpretation of hypergeometric series, Rend. Sem. Mat. Univ. Padova 90 (1993), 239–263. MR1257141 B. Dwork and F. Loeser, Hypergeometric series, Japan. J. Math. (N.S.) 19 (1993), no. 1, 81–129, DOI 10.4099/math1924.19.81. MR1231511 Lei Fu, -adic GKZ hypergeometric sheaves and exponential sums, Adv. Math. 298 (2016), 51–88, DOI 10.1016/j.aim.2016.04.021. MR3505737 L. Fu, D. Wan, and H. Zhang, The p-adic Gelfand-Kapranov-Zelevinsky hypergeometric complex, arXiv:1804.05297v1, 2018. I. M. Gelfand and M. I. Graev, Hypergeometric functions over finite fields (Russian), Dokl. Akad. Nauk 381 (2001), no. 6, 732–737. MR1892519 I. M. Gelfand, M. M. Kapranov, and A. V. Zelevinsky, Discriminants, resultants and multidimensional determinants, Modern Birkh¨ auser Classics, Birkh¨ auser Boston, Inc., Boston, MA, 2008. Reprint of the 1994 edition. MR2394437 Vasily Golyshev and Anton Mellit, Gamma structures and Gauss’s contiguity, J. Geom. Phys. 78 (2014), 12–18, DOI 10.1016/j.geomphys.2013.12.007. MR3170307 John Greene, Hypergeometric functions over finite fields, Trans. Amer. Math. Soc. 301 (1987), no. 1, 77–101, DOI 10.2307/2000329. MR879564 Benedict H. Gross and Neal Koblitz, Gauss sums and the p-adic Γ-function, Ann. of Math. (2) 109 (1979), no. 3, 569–581, DOI 10.2307/1971226. MR534763 David Harvey, Counting points on hyperelliptic curves in average polynomial time, Ann. of Math. (2) 179 (2014), no. 2, 783–803, DOI 10.4007/annals.2014.179.2.7. MR3152945 David Harvey, Computing zeta functions of arithmetic schemes, Proc. Lond. Math. Soc. (3) 111 (2015), no. 6, 1379–1401, DOI 10.1112/plms/pdv056. MR3447797 David Harvey and Andrew V. Sutherland, Computing Hasse-Witt matrices of hyperelliptic curves in average polynomial time, LMS J. Comput. Math. 17 (2014), no. suppl. A, 257–273, DOI 10.1112/S1461157014000187. MR3240808 David Harvey and Andrew V. Sutherland, Computing Hasse-Witt matrices of hyperelliptic curves in average polynomial time, II, Frobenius distributions: Lang-Trotter and Sato-Tate conjectures, Contemp. Math., vol. 663, Amer. Math. Soc., Providence, RI, 2016, pp. 127–147, DOI 10.1090/conm/663/13352. MR3502941 Nicholas M. Katz, Exponential sums and differential equations, Annals of Mathematics Studies, vol. 124, Princeton University Press, Princeton, NJ, 1990, DOI 10.1515/9781400882434. MR1081536 Nicholas M. Katz and John Tate, Bernard Dwork (1923–1998), Notices Amer. Math. Soc. 46 (1999), no. 3, 338–343. MR1669973 Kiran S. Kedlaya, p-adic differential equations, Cambridge Studies in Advanced Mathematics, vol. 125, Cambridge University Press, Cambridge, 2010, DOI 10.1017/CBO9780511750922. MR2663480 K.S. Kedlaya, GitHub repository, https://github.com/kedlaya/hgm-frobstruct.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
158
KIRAN S. KEDLAYA
[34] Kiran S. Kedlaya and Jan Tuitman, Effective convergence bounds for Frobenius structures on connections, Rend. Semin. Mat. Univ. Padova 128 (2012), 7–16 (2013), DOI 10.4171/RSMUP/128-2. MR3076829 [35] M. Kim and W. Yang, Mirror symmetry, mixed motives, and ζ(3), arXiv:1710.02344v3, 2019. [36] Alan G. B. Lauder, Deformation theory and the computation of zeta functions, Proc. London Math. Soc. (3) 88 (2004), no. 3, 565–602, DOI 10.1112/S0024611503014461. MR2044050 [37] Alain M. Robert, A course in p-adic analysis, Graduate Texts in Mathematics, vol. 198, Springer-Verlag, New York, 2000, DOI 10.1007/978-1-4757-3254-2. MR1760253 [38] Alain Salinier, Structure de Frobenius forte de l’´ equation diff´ erentielle hyperg´ eom´ etrique (French, with English summary), C. R. Acad. Sci. Paris S´er. I Math. 305 (1987), no. 10, 393–396. MR916337 [39] Peter Scholze, Canonical q-deformations in arithmetic geometry (English, with English and French summaries), Ann. Fac. Sci. Toulouse Math. (6) 26 (2017), no. 5, 1163–1192, DOI 10.5802/afst.1563. MR3746625 [40] I. Shapiro, Frobenius map for quintic threefolds, Int. Math. Res. Not. IMRN 13 (2009), 2519– 2545, DOI 10.1093/imrn/rnp024. MR2520788 [41] Ilya Shapiro, Frobenius map and the p-adic gamma function, J. Number Theory 132 (2012), no. 8, 1770–1779, DOI 10.1016/j.jnt.2012.03.005. MR2922344 [42] J. Thomae, Ueber die h¨ oheren hypergeometrischen Reihen, insbesondere u ¨ber die Reihe: 1 + a (a0 +1)a1 (a1 +1)a2 (a2 +1) 2 a0 a1 a2 x + 0 1.2.b x + · · · · · · · (German), Math. Ann. 2 (1870), no. 3, 1.b1 b2 (b +1)b (b +1) 1 1 2 2 427–444, DOI 10.1007/BF01448236. MR1509670 [43] D. van Straten, CY-operators and L-functions, in 2017 MATRIX Annals, Springer, 2019, 491–503. [44] Daniel Vargas-Montoya, Alg´ ebricit´ e modulo p, s´ eries hyperg´ eom´ etriques et structures de Frobenius fortes (French, with English and French summaries), Bull. Soc. Math. France 149 (2021), no. 3, 439–477, DOI 10.24033/bsmf.283. MR4349570 Department of Mathematics, University of California San Diego, La Jolla, California 92093 Email address: [email protected] URL: https://kskedlaya.org
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
Contemporary Mathematics Volume 779, 2022 https://doi.org/10.1090/conm/779/15674
The regulator dominates the rank Fabien Pazuki We believe that the results presented here would have been to the liking of Alexey Zykin, who is deeply missed. In loving memory of Alexey and Tanya. Abstract. After noticing that the regulator of a number field dominates the rank of its group of units, we bound from below the regulator of the MordellWeil group of elliptic curves over global function fields of characteristic p ≥ 5. The lower bound is an increasing function of the rank and of the height. This partially answers Question 7.1 and Question 7.2 in Autissier et al [Int. Math. Res. Not., 7, 2021, 4976-4993].
1. Introduction Regulators of number fields and regulators of Mordell-Weil groups of abelian varieties have attracted a lot of attention, both for their own sake, and for the role they play in the Class Number Formula and in the strong form of the Birch and Swinnerton-Dyer conjecture, respectively. When studying families of number fields or families of abelian varieties, it is sometimes necessary to estimate the size of the regulator in terms of easier invariants, like the discriminant and degree of the number fields, or like the height of the abelian varieties and the rank of their Mordell-Weil group, respectively. In this note, we propose a new lower bound on the regulator of elliptic curves defined over global function fields. This lower bound is an increasing function of the rank of the elliptic curve (when the height is big enough), which is a new phenomenon, and which mirrors a similar situation taking place between the regulator of a number field and its rank of units. We describe both results in the rest of this introduction. 1.1. Regulators and ranks of units of number fields. Let us start with the following theorem, which has been an important motivation for this work. In the sequel, if F is a number field, we denote by d its degree over Q. Let r1 be the number of real embeddings of F , and r2 be the number of pairs of complex conjugate embeddings of F . The group of units of F is a Z-module of finite rank, 2020 Mathematics Subject Classification. Primary 11G50, 14G40. Key words and phrases. Heights, elliptic curves, regulators, Mordell-Weil. We thank the Swedish Research Council under grant no. 2016-06596, as this work was finalized while the author was in residence at Institut Mittag-Leffler in Djursholm, Sweden during the fall of 2021. The author was supported by ANR-17-CE40-0012 Flair and ANR-20-CE40-0003 Jinvariant. c 2022 American Mathematical Society
159
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
160
FABIEN PAZUKI
we denote this rank by rF . Let RF be the regulator of F , and let wF be the number of roots of unity in F . Theorem 1.1 (Friedman, [Fri89, page 620, Corollary]). Let F be a number field. Then RF (1) ≥ 0.0031 exp(0.241d + 0.497r1 ). wF By Dirichlet’s unit theorem, we know that rF = r1 + r2 − 1. We also know that d = r1 + 2r2 . This has the following easy consequence when used in inequality (1). Corollary 1.2. Let F be a number field. Then RF ≥ 0.0062 exp(0.241rF ).
(2)
So the story begins with the following fact given by inequality (2): the regulator RF of a number field F dominates the rank rF of its group of units. This triggers questions about other contexts, for instance: to what extent would the regulator of the Mordell-Weil group of an abelian variety over a global field dominate the rank of this Mordell-Weil group? 1.2. Elliptic curves and ranks of Mordell-Weil groups. Our goal is to prove that the regulator Reg(E/K) of an elliptic curve E defined over a function field K of characteristic p ≥ 5 dominates the rank of its Mordell-Weil group. In doing so we partially answer Question 7.1 and Question 7.2 of [AHP21] in the case where K = Fq (C) is a function field of characteristic p ≥ 5, where C is a smooth projective and geometrically connected curve defined over its constant field Fq and of genus g ≥ 0. Note that the rank of elliptic curves over function fields of positive characteristic is not bounded [Ulm02, Gri20], hence this improvement is non-trivial. Let us state the result. Theorem 1.3. Let K = Fq (C) be a function field of characteristic p ≥ 5 and genus g. Let E be an elliptic curve over K of discriminant Δ(E/K), of trace zero, and let ps denote the inseparability degree of the j-map of E. Let r denote the rank of E(K). There exists a positive real number c0 = c0 (q, g, ps ) such that r
(3) Reg(E/K) ≥ c0 log 12h(E) , where h(E) =
1 12
deg Δ(E/K), and the inequality holds with the explicit value −1
√ c0 = p2s 12 q(log q)2 (5g + 9)1015.5+23g .
We can now deduce the following corollary, which can be seen as a refined Northcott property for the regulators of elliptic curves over function fields in characteristic p ≥ 5. Corollary 1.4. Let K = Fq (C) be a function field of characteristic p ≥ 5 and genus g. The set of elliptic curves of trace zero over K, with positive rank, bounded inseparability degree and bounded regulator is finite. Remark 1.5. Under the ABC conjecture, the BSD conjecture, and the GRH, one obtains an inequality for elliptic curves over number fields similar to the inequality (3) using [Mes86]. This would lead to an improvement of Theorem 4 page 1124 of [Paz16], as the regulator would bound the rank from above.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
THE REGULATOR DOMINATES THE RANK
161
The rest of the text presents a proof of Theorem 1.3 and of Corollary 1.4. After giving the prerequisites in the next section, we prove inequality (3). The proof relies on the Minkowski successive minima inequality, combined with a lower bound on the canonical height of non-torsion points on elliptic curves. This is not enough, though, we need extra input to obtain the correct dependance in the rank. We are then able to give an explicit estimate on the analytic rank in Lemma 3.1, following Brumer’s work, and transfer this estimate on the algebraic rank via Tate’s work. The estimate is of sufficient quality to yield the result. 2. Definitions and prerequisites Here we gather the basic definitions –function fields, heights, regulators of elliptic curves– and the key results used later in the proof of Theorem 1.3. 2.1. Function fields. Let K = k(C) be the function field of a smooth projective and geometrically connected curve C defined over its constant field k and of genus g ≥ 0. Let MK stand for a complete set of inequivalent valuations v(.). The set MK is in bijection with the set of closed point in C. Given a place v ∈ MK , the residue field kv of K at v is a finite extension of k: the degree nv := [kv : k] of this extension will be called the degree of v. This gives a normalization such that for any element x ∈ K, x = 0, the following product formula holds nv v(x) = 0. v∈MK
A divisor I on the field K is a formal sum v∈MK av · v where av ∈ Z is zero for all but finitely many places v. We pose nv av . deg(I) = v∈MK
We define the height on K by h(0) = 0 and for any non-zero x ∈ K, by h(x) = nv max{0, −v(x)}. v∈MK
If we now consider E to be an elliptic curve defined over the function field K, we define the N´eron-Tate height on the group of rational points E(K) with respect to the divisor (O) on E by 1 1 lim 2 h(x([n]P )). hE (P ) = n→∞ 2 n 2.2. Regulators of elliptic curves. Let K be a function field of transcendence degree one over its field of constants k. Let E/K be an elliptic curve over the field K. We assume that E has trace zero. Let m be the Mordell-Weil rank of E(K), which is finite by the Lang-N´eron theorem, see [Con06] for instance. Let hE be the N´eron-Tate height on E. Let < ., . > be the associated bilinear form, given by 1 < P, Q >= hE (P ) − hE (Q) hE (P + Q) − 2 for any P, Q ∈ E(K).
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
162
FABIEN PAZUKI
Definition 2.1. Let P1 , . . . , Pr be a basis of the lattice E(K)/E(K)tors, where E(K) is the Mordell-Weil group. The regulator of E/K is defined by Reg(E/K) = det(< Pi , Pj >1≤i,j≤r ). In the case r = 0, the regulator is equal to 1. We gather here three results needed for the sequel. Lemma 2.2 (Lemma 3.1 of [AHP21]). Let K be a function field of transcendence degree one over its field of constants k. Let E be an elliptic curve over the field K. We assume that E has trace zero. Let r be the Mordell-Weil rank of E(K). Assume r ≥ 1. Let Λ = E(K)/E(K) tors and for any i ∈ {1, . . . , r}, let us denote hE ) by λi . Then we have the Minkowski ith-minimum of (Λ, λ1 · · · λr ≤ r r/2 (Reg(E/K))1/2 .
(4)
Theorem 2.3 (Theorem 6.1 of [AHP21]). Let K = k(C) be a function field of characteristic p > 0 and genus g. Let E/K be an elliptic curve of discriminant Δ(E/K) and assume that the j-map of E has inseparable degree ps . Let P ∈ E(K) be a non-torsion point. Then one has hE (P ) ≥ p−2s 10−15.5−23g h(E), where h(E) =
1 12
deg Δ(E/K).
Lemma 2.4. Let K = k(C) be a function field of characteristic p > 0 and genus g. Let E/K be an elliptic curve over K. Let ran denote the analytic rank of E/K and let r denote its algebraic rank over K. Then r ≤ ran . Proof. This is a direct consequence of Theorem 5.2 page 436 of [Tat66]. 3. Regulators of elliptic curves over function fields of positive characteristic Let us start with a useful lemma, which is an explicit version of Proposition 6.9 page 463 in [Bru92]. Inequality (6) is weaker than inequality (5), but easier to manipulate. Brumer’s work [Bru92] provides a bound on the analytic rank. To deduce the control on the algebraic rank we use Lemma 2.4. Lemma 3.1. Let K = Fq (C) be a function field of characteristic p ≥ 5 and genus g. Let E be an elliptic curve over K. Let nE be the degree of the conductor of E and let r denote the rank of E(K). Assume nE > 1. The following inequality holds: (5) √ log q nE √ 7 nE 2 (2g − 2) + log q + 4 q(log q) + q + 20g + 17 , r≤ √ 2 log nE (log nE )2 2 q log nE and leads to, as q ≥ 5, (6)
r≤
nE √ q(log q)2 (5g + 9). log nE
Note that we do not assume that nE is large when compared to q, in contrast with Proposition 6.9 page 463 of [Bru92].
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
THE REGULATOR DOMINATES THE RANK
163
Proof. We follow closely the proof of Proposition 6.9 page 463 in [Bru92]. Let us denote by Z the set of θ such that 1 + iθ/ log q is a zero of the L-function of the elliptic curve E, and such that 0 ≤ θ < 2π. For any trigonometric polynomial f with Fourier coefficients denoted c(n), we state the explicit formula (6.7) page 462 in [Bru92], for a positive integer parameter Y to be fixed later:
(7)
ran f (0) +
f (θ) = c(0)(nE + 4g − 4) + 2
Y
Um (E, f ),
m=1
θ∈Z
where the Um (E, f ) are defined in (6.6) page 462 in [Bru92] and satisfy the following inequality, uniformly in f (there is a term βK in the original formula, note that we used βK = (2g + 1)(1 − q −1 )−1 , as given in Proposition 6.3 page 461 of [Bru92]):
(8)
+∞
2 (4g + 2)(1 − q −1 )−1 |Um (E, f )| ≤ √ + , q(1 − q −1/2 )2 (q − 1)(1 − q −1/2 ) m=3
and if we consider (as in (6.5) page 465) the F´ejer kernel given by FY (θ) =
(sin 12 Y θ)2 , Y (sin 12 θ)2
for the specific choice f = FY , we have the inequality |U2 (E, FY )| ≤
(9)
4g + 2 Y + √ , 2 ( q − 1)(1 − q −1 )
and the inequality 2q Y /2 (2g + 1) |U1 (E, FY )| ≤ √ Y. + −1/2 2 (1 − q −1 ) qY (1 − q )
(10)
Following Brumer we fix f = FY in equation (7), we get f (0) = Y and c(0) = 1, and because the F´ejer kernel is non-negative,1 the combination of (7) with (8), (9), (10) leads to (11) nE + 4g − 4 4g + 2 (8g + 4) 4q Y /2 + +1+ r ≤ ran ≤ + 2√ √ −1 −1/2 2 Y 1−q Y ( q − 1)(1 − q −1 ) Y q(1 − q ) +
(8g + 4)(1 − q −1 )−1 4 + . √ −1/2 2 Y q(1 − q ) Y (q − 1)(1 − q −1/2 )
1 The author remembers attending a course in functional analysis of Jean-Michel Morel at ENS Cachan in 2002, where one needed to compare different kernels in Fourier theory. The F´ejer kernel will always be remembered as one of the most important, because it is non-negative, this is useful again in this situation!
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
164
FABIEN PAZUKI
nE 1 For any nE > 1, we may now fix Y = # 2 log log q $ > 0 and use Y ≤ q Y /2 ≤ nE q to obtain2 in (11) √ nE q(log q)2 4g + 2 nE log q + + +1 r≤ 2 −1/2 2 2 log nE 1 − q −1 (log nE ) (1 − q ) 4g + 2 log q 2 + +√ √ log nE ( q − 1)(1 − q −1 ) q(1 − q −1/2 )2 (4g + 2)(1 − q −1 )−1 + + 2g − 2 , (q − 1)(1 − q −1/2 )
log q 2 log nE
and
and with q ≥ 5 we obtain (12) log q nE 7 nE √ √ 2 + log q + 4 q(log q) + q . 20g + 17 + (2g − 2) r≤ √ 2 log nE (log nE )2 2 q log nE We can now give the proof of Theorem 1.3. Proof. If r = 0 the result is obvious, we may thus assume that r ≥ 1. We start by combining Lemma 2.2 and Theorem 2.3 to obtain r 1
(13) Reg(E/K) ≥ r p−2s 10−15.5−23g h(E) . r We now want to estimate the denominator by bounding the algebraic rank r from above: one uses Lemma 3.1 (valid when p ≥ 5 and nE > 1): nE √ q(log q)2 (5g + 9). (14) r≤ log nE Now, as nE ≤ 12h(E) and as x → x(log x)−1 , for x > e is a well defined increasing function, one deduces from (14) that for nE > e r≤
(15) which leads to (16)
Reg(E/K) ≥
12h(E) √ q(log q)2 (5g + 9), log 12h(E)
r r
log 12h(E) −2s −15.5−23g 10 h(E) p √ 12h(E) q(log q)2 (5g + 9)
and finally
r
Reg(E/K) ≥ c0 log 12h(E) ,
−1 √ where c0 = p2s 12 q(log q)2 (5g + 9)1015.5+23g . We also need to treat the case nE ≤ e: we may use the easy bound r ≤ nE + 4g − 4, which gives in particular r ≤ 4g − 1. Inject this in (13) to obtain
1 r
r (18) Reg(E/K) ≥ p−2s 10−15.5−23g h(E) ≥ c0 log 12h(E) , 4g − 1 and the same explicit value of c0 is valid. This concludes the proof.
(17)
We will now close the discussion with the proof of Corollary 1.4. 2 Taking · instead of · when choosing Y is a valid option if n E is assumed big when compared to q.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
THE REGULATOR DOMINATES THE RANK
165
Proof. We split into two cases: in Theorem 1.3, either c0 log 12h(E) ≤ 1, in that case ps bounded implies a bounded height, or c0 log 12h(E) > 1: in that case, as soon as the rank r is positive and as long as s is bounded from above, a bounded regulator implies a bounded height by inequality (3). In both cases, apply [MB85] Th´eor`eme 4.6 page 236, which proves that a bounded height implies finiteness, as the constant field is a finite field here. Acknowledgments We thank Pascal Autissier and Marc Hindry for interesting conversations. We thank the referee for useful feedback. References [AHP21] Pascal Autissier, Marc Hindry, and Fabien Pazuki, Regulators of elliptic curves, Int. Math. Res. Not. IMRN 7 (2021), 4976–4993, DOI 10.1093/imrn/rny285. MR4241121 [Bru92] Armand Brumer, The average rank of elliptic curves. I, Invent. Math. 109 (1992), no. 3, 445–472, DOI 10.1007/BF01232033. MR1176198 [Con06] Brian Conrad, Chow’s K/k-image and K/k-trace, and the Lang-N´ eron theorem, Enseign. Math. (2) 52 (2006), no. 1-2, 37–108. MR2255529 [Fri89] Eduardo Friedman, Analytic formulas for the regulator of a number field, Invent. Math. 98 (1989), no. 3, 599–622, DOI 10.1007/BF01393839. MR1022309 [Gri20] Richard Griffon, A new family of elliptic curves with unbounded rank, Mosc. Math. J. 20 (2020), no. 2, 343–374. MR4088798 [HiSi88] Marc Hindry and Joseph H. Silverman, The canonical height and integral points on elliptic curves, Invent. Math. 93 (1988), no. 2, 419–450, DOI 10.1007/BF01394340. MR948108 [Mes86] Jean-Fran¸cois Mestre, Formules explicites et minorations de conducteurs de vari´ et´ es alg´ ebriques (French), Compositio Math. 58 (1986), no. 2, 209–232. MR844410 [MB85] Laurent Moret-Bailly, Pinceaux de vari´ et´ es ab´ eliennes (French, with English summary), Ast´ erisque 129 (1985), 266. MR797982 [Paz16] Fabien Pazuki, Northcott property for the regulators of number fields and abelian varieties, Oberwolfach Rep. 21 (2016), 1122–1125. [Tat66] John Tate, On the conjectures of Birch and Swinnerton-Dyer and a geometric analog, S´ eminaire Bourbaki, Vol. 9, Soc. Math. France, Paris, (1966), pp. Exp. No. 306, 415–440. MR1610977 [Ulm02] Douglas Ulmer, Elliptic curves with large rank over function fields, Ann. of Math. (2) 155 (2002), no. 1, 295–315, DOI 10.2307/3062158. MR1888802 Institute of Mathematics, University of Copenhagen, Universitetsparken 5, 2100 Copenhagen Ø, Denmark; and Universit´ e de Bordeaux, IMB, 351, cours de la Lib´ eration, 33400 Talence, France Email address: [email protected]
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
Contemporary Mathematics Volume 779, 2022 https://doi.org/10.1090/conm/779/15675
Introduction to Drinfeld modules Bjorn Poonen Abstract. Our goal is to introduce Drinfeld modules and to explain their application to explicit class field theory.
Before introducing Drinfeld modules, let us motivate their study by mentioning some of their applications. 1. Applications • Explicit class field theory for global function fields (just as torsion of Gm gives abelian extensions of Q, and torsion of CM elliptic curves gives abelian extensions of imaginary quadratic fields). Here, global function field means Fp (T ) or a finite extension. • Langlands conjectures for GLn over global function fields (Drinfeld modular varieties play the role of Shimura varieties). • Modularity of elliptic curves over global function fields: If E over Fp (T ) has split multiplicative reduction at ∞, then E is dominated by a Drinfeld modular curve. • Explicit construction of curves over finite fields with many points, as needed in coding theory, namely reductions of Drinfeld modular curves, which have easier-to-write-down equations than the classical modular curves. Only the first of these will be treated in these notes, though we do also give a very brief introduction to Drinfeld modular curves and varieties. We follow [Hay92] as primary reference. For many more details about Drinfeld modules, one can consult the original articles of Drinfeld [Dri74,Dri77] or any of the following: [DH87], [GHR92], [Gos96], [Lau96], [Lau97], [GvdPRVG97], [Ros02], [Tha04]. 2. Analytic theory 2.1. Inspiration from characteristic 0. Let Λ be a discrete Z-submodule of C of rank r ≥ 0, so there exist R-linearly independent ω1 , . . . , ωr such that 2020 Mathematics Subject Classification. Primary 11G09; Secondary 11G45, 11R37. Key words and phrases. Drinfeld module, class field theory, Fq -linear polynomial, Tate module, good reduction, stable reduction, Carlitz module, Hilbert class field, ray class field, Drinfeld modular variety. The writing of this article was supported in part by National Science Foundation grants DMS841321, DMS-1601946, and DMS-2101040 and Simons Foundation grants #402472 and #550033. c 2022 American Mathematical Society
167
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
168
BJORN POONEN
Λ = Zω1 + · · · Zωr . It turns out that the Lie group C/Λ is isomorphic to G(C) for some algebraic group G over C, as we can check for each value of r: r 0
isomorphism of Lie groups ∼
C/Λ −→ C
G the additive group Ga
∼
1 2
C/Λ −→ C× z −→ exp(2πiz/ω1 ) ∼ C/Λ −→ E(C) z −→ (℘(z), ℘ (z))
the multiplicative group Gm an elliptic curve E
(The notation ℘ denotes the Weierstrass ℘-function associated to the lattice Λ; see [Sil09, VI.3], for instance.) Cases with r > 2 do not occur, since [C : R] = 2. 2.2. Characteristic p analogues. What is a good analogue of the above in characteristic p? Start with a smooth projective geometrically integral curve X over a finite field Fq , and fix a closed point ∞ ∈ X. Let O(X − {∞}) denote the coordinate ring of the affine curve X − {∞}. Characteristic 0 ring Characteristic p analogue Example Z A := O(X − {∞}) Fq [T ] Q K := Frac A Fq (T ) Fq ((1/T )) R K∞ := completion at ∞ C C := completion of K ∞ The completions are taken with respect to the ∞-adic absolute value: For nonzero a ∈ A, define |a| := #(A/a) = q deg a (and |0| := 0); extend | | to K, its completion K∞ , an algebraic closure K ∞ , and its completion C, in turn. The field C is algebraically closed as well as complete with respect to | |. Some authors use the notation C or C∞ instead of C. Finite rank Z-submodules of C are just finite-dimensional Fp -subspaces, not so interesting, so instead consider this: Definition 2.1. An A-lattice in C is a discrete A-submodule Λ of C of finite rank, where rank Λ := dimK (KΛ) = dimK∞ (K∞ Λ). If A is a principal ideal domain, such as Fq [T ], then all such Λ arise as follows: Let {x1 , . . . , xr } be a basis for a finite-dimensional K∞ -subspace in C, and let Λ := Ax1 + · · · + Axr ⊂ C. Note: In contrast with the characteristic 0 situation, r can be arbitrarily large since [C : K∞ ] is infinite. Theorem 2.2. The quotient C/Λ is analytically isomorphic to C! This statement can be interpreted using rigid analysis. More concretely, it means that there exists a power series 2
e(z) = α0 z + α1 z q + α2 z q + · · · defining a surjective Fq -linear map C → C with kernel Λ. If we require α0 = 1, then such a power series e is unique.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
INTRODUCTION TO DRINFELD MODULES
169
Sketch of proof. Uniqueness follows from the nonarchimedean Weierstrass preparation theorem, which implies that a convergent power series is determined up to a constant multiple by its zeros: explicitly, if e(z) exists, then %
z (2.1) e(z) = z 1− . λ λ∈Λ λ =0
(Over C, there would be an ambiguity of multiplication by a function eg(z) , but in the nonarchimedean setting, every invertible entire function is constant!) If we take (2.1) as a definition, there are several things to check: • The infinite product converges. (Proof: Since Λ is a discrete subgroup of a locally compact group K∞ Λ, we have λ → ∞.) • e(z) is surjective. (The nonarchimedean Picard theorem says that a nonconstant entire function omits no values.) • e(x + y) = e(x) + e(y). (Proof: Write Λ as an increasing union of finitedimensional Fp -subspaces, and e(x) as the limit of the corresponding finite products. If f (x) is a polynomial whose zeros are distinct and form a group G under addition, then f (x + y) = f (x) + f (y), because f (x + y) − f (x) − f (y) vanishes on G × G but is of degree less than #G in each variable.) • e(cx) = ce(x) for each c ∈ Fq . (Use a proof similar to the preceding, or argue directly.) • ker e = Λ. Now C/Λ has a natural A-module structure. Carrying this across the isomorphism C/Λ → C gives an exotic A-module structure on C. This is essentially what a Drinfeld module is: the additive group with a new A-module structure. For each a ∈ A, the multiplication-by-a map a : C/Λ → C/Λ corresponds under the isomorphism to a map φa : C → C making
(2.2)
e
/ C/Λ
a
C/Λ
C
φa
/C
e
commute. Proposition 2.3. The map φa is a polynomial! Proof. Assume that a = 0. We have ker (a : C/Λ → C/Λ) =
a−1 Λ , Λ
r r which is isomorphic
−1 to Λ/aΛ = (A/a) , which is finite of order |a| . So ker φa should be e a Λ Λ . Define the polynomial % z 1− φa (z) := az . e(t) −1 t∈ a
Λ
Λ
−{0}
Then φa is the map making (2.2) commute, because the power series φa (e(z)) and e(az) have the same zeros and same coefficient of z.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
170
BJORN POONEN
The proof of Proposition 2.3 shows also that for any nonzero a ∈ A, deg φa = #
a−1 Λ = |a|r . Λ
3. Algebraic theory 3.1. Fq -linear polynomials. Let L be a field containing Fq . A polynomial f (x) ∈ L[x] is called additive if f (x + y) = f (x) + f (y) in L[x, y], and Fq -linear if, in addition, f (cx) = cf (x) in L[x] for all c ∈ Fq . Think of such polynomials as operators that can be composed: For example, each a ∈ L defines an operator x → ax and τ denotes the Frobenius operator x → xp , so τ a is x → (ax)p and τ 2 2 is x → xp . Let Ga be the additive group scheme over L, viewed as an Fq -vector space scheme over L. Endomorphisms of Ga as an Fq -vector space scheme are Fq -linear by definition: End Ga = {Fq -linear polynomials in L[x]} 3 n qi ai x : ai ∈ L = i=0
=
n
3
ai τ i
(x) : ai ∈ L
i=0
=: L{τ }; this is a ring under addition and composition. More specifically, L{τ } is a twisted polynomial ring, twisted in that the elements a ∈ L do not necessarily commute with the variable τ : instead, τ a = aq τ . For f ∈ L{τ }, let l.c.(f ) denote the leading coefficient an of f ; by convention, l.c.(0) = 0. Also, if f = ni=0 ai τ i , then the derivative of the Fq -linear polynomial f (x) ∈ L[x] is the constant f (0) = a0 , which is the “constant term” of f viewed as a twisted polynomial in L{τ }. 3.2. Drinfeld modules. Definition 3.1. An A-field is an A-algebra L that is a field; that is, L is a field equipped with a ring homomorphism ι : A → L. The A-characteristic of L is charA L := ker ι, a prime ideal of A. We distinguish two cases: • L is an extension of K and ι is an inclusion; then charA L = 0. (Example: C.) • L is an extension of A/p for some nonzero prime p of A; then charA L = p. To motivate the following definition, recall that an A-module M is an abelian group M together with a ring homomorphism A → Endgroup M . Definition 3.2. A Drinfeld A-module φ over L is the additive group scheme Ga with a faithful A-module structure for which the induced action on the tangent space at 0 is given by ι. More concretely, φ is an injective ring homomorphism A −→ End Ga = L{τ } a −→ φa
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
INTRODUCTION TO DRINFELD MODULES
171
such that φa (0) = ι(a) for all a ∈ A. ι
Remark 3.3. Many authors explicitly disallow φ to be the composition A → L ⊂ L{τ }, but we allow it when charA L = 0, since doing so does not seem to break ι any theorems. Our requirement that φ be injective does rule out A → L ⊂ L{τ } when charA L = 0, however; we must rule this out to make Proposition 3.5 below hold. It turns out that every Drinfeld A-module over C arises from an A-lattice as in Section 2. For a more precise statement, see Theorem 3.11. 3.3. Rank. We could define the rank of a Drinfeld module over C as the rank of the A-lattice it comes from, but it will be nicer to give an algebraic definition that makes sense over any A-field. Let φ be a Drinfeld module. For each nonzero a ∈ A, there are nonnegative integers m(a) ≤ M (a) such that we may write φa = cm(a) τ m(a) + · · · + cM (a) τ M (a) with exponents in increasing order and cm(a) , cM (a) = 0. Then φa (x) as a polynomial in x has degree q M (a) and each zero has multiplicity q m(a) . In terms of the functions M and m, we will define the rank and height of φ, respectively. For each closed point p ∈ X, let vp be the p-adic valuation on K normalized so that vp (a) is the degree of the p-component of the divisor (a); thus vp (K × ) = (deg p)Z. Also, define |a|p := q −vp (a) . For example, | |∞ is the absolute value | | defined earlier. Example 3.4. If A = Fq [T ], then φ is determined by φT , and we define r = M (T ). For any nonzero a ∈ A, expanding φa in terms of φT shows that M (a) = (deg a)r = −rv∞ (a). A similar result holds for arbitrary A: Proposition 3.5 (Characterization of rank). Let φ be a Drinfeld module over an A-field L. Then there exists a unique r ∈ Q≥0 such that M (a) = −rv∞ (a), or equivalently deg φa = |a|r , for all nonzero a ∈ A. (Proposition 3.13(a) will imply that r is an integer.) Proof. After enlarging L to make L perfect, we may define the ring of twisted Laurent series L((τ −1 )) whose elements have the form n∈Z n τ n with n = 0 for n sufficiently large positive n; multiplication is defined so that τ n = q τ . Then L((τ −1 )) is a division ring with a valuation v : L((τ −1 )) → Z ∪ {+∞} sending τ n to −n (same proof as for usual Laurent series over a field). Thus φ : A → L{τ } extends to a homomorphism φ : K → L((τ −1 )), and v pulls back to a nontrivial valuation vK on K. We have vK (a) = −M (a) ≤ 0 for all a ∈ A − {0}, so vK = rv∞ for some r ∈ Q≥0 . Then M (a) = −rv∞ (a) for all a ∈ A − {0}. Define the rank of φ to be r. (This is not analogous to the rank of the group of rational points of an elliptic curve.)
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
172
BJORN POONEN
3.4. Analogies. Drinfeld modules are 1-dimensional objects, no matter what the rank is. Comparing with Section 2.1 suggests the following analogies: rank 0 Drinfeld module ←→ Ga rank 1 Drinfeld module ←→ Gm or CM elliptic curve (if E has CM by O, view its lattice as rank 1 O-module) rank 2 Drinfeld module ←→ elliptic curve rank ≥ 3 Drinfeld module ←→ ? (if only such geometric objects existed. . . ) There is also a higher-dimensional generalization called a t-module [And86]. Remark 3.6. Gekeler [Gek83, Gek91] developed a theory of Drinfeld modules over finite fields analogous to the theory of abelian varieties over finite fields developed by Deuring, Tate, Waterhouse, and others. 3.5. Height. Proposition 3.7. Let φ be a Drinfeld module over an A-field L of nonzero characteristic p. Then there exists a unique h ∈ Q>0 such that m(a) = hvp (a) for all nonzero a ∈ A. (Proposition 3.13(b) will imply that h is an integer satisfying 0 < h ≤ r.) Proof. Enlarge L to make it perfect and extend φ to a homomorphism K → L((τ )) (twisted Laurent series in τ instead of τ −1 ) to define a valuation on K. It is positive on p, hence equal to hvp for some h ∈ Q>0 . Call h the height of φ. It is analogous to the height of the formal group of an elliptic curve over a field of characteristic p. 3.6. Drinfeld modules and lattices. For fixed A and L, Drinfeld A-modules over L form a category, with morphisms as follows: Definition 3.8. A morphism f : φ → ψ of Drinfeld modules over L is an element of End Ga such that f ◦ φa = ψa ◦ f for all a ∈ A: i.e., (3.1)
Ga
φa
f
Ga
/ Ga f
ψa
/ Ga
commutes. An isogeny between Drinfeld modules φ and ψ is a surjective morphism f with finite kernel, or equivalently (since Ga is 1-dimensional), a nonzero morphism. If such an f exists, φ and ψ are called isogenous. Over C, there is no nonzero algebraic homomorphism from Gm to an elliptic curve; analogously: Proposition 3.9. Isogenous Drinfeld modules have the same rank. Proof. If f : φ → ψ is an isogeny between Drinfeld modules of rank r and r , respectively, then (3.1) gives
(deg f )|a|r = |a|r (deg f ) for all a ∈ A, so r = r .
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
INTRODUCTION TO DRINFELD MODULES
173
Because of Proposition 3.9, we fix the rank in the following. Definition 3.10. A morphism of rank r A-lattices Λ, Λ in C is a number c ∈ C such that cΛ ⊆ Λ . Theorem 3.11. For each r ≥ 0, the analytic construction ∼
{A-lattices in C of rank r} −→ {Drinfeld modules over C of rank r} of Section 2 is an equivalence of categories. Sketch of proof. Given a rank r Drinfeld module φ over C, choose a nonconstant a ∈ A, and consider a power series 2
e(z) = z + α1 z q + α2 z q + · · · with unknown coefficients αi . The condition e(az) = φa (e(z)) determines the αi uniquely; solve for each αi in turn. Check that the resulting power series converges everywhere, and that its kernel is an A-lattice in C giving rise to φ. The proof of Proposition 2.3 shows more generally that a morphism of A-lattices corresponds to a polynomial map C → C defining a morphism of Drinfeld modules, and vice versa. In particular, homothety classes of rank r A-lattices in C are in bijection with isomorphism classes of rank r Drinfeld modules over C. 3.7. Torsion points. The additive polynomial φa plays the role of the multiplication-by-n map on an elliptic curve, or the nth power map on Gm . For a = 0, the a-torsion subscheme of a Drinfeld module φ is φ[a] := ker φa , viewed as subgroup scheme of Ga . It is a finite group scheme of order deg φa = q M (a) = |a|r . Let φ L denote the additive group of L viewed as an A-module via φ. Then φ[a](L) is an A-submodule of φ L, but its order may be less than |a|r if L is not algebraically closed or φ[a] is not reduced. More generally, if I is a nonzero ideal of A, let φ[I] be the scheme-theoretic 4 intersection a∈I φ[a]. Equivalently, one can define φI as the monic generator of the left ideal of L{τ } generated by {φa : a ∈ I}, and define φ[I] := ker φI . To understand the structure of φ[I](L), we need the following basic lemma about modules over Dedekind rings. Lemma 3.12. Let A be a Dedekind ring. Let D be an A-module. (a) If 1 , . . . , n are distinct nonzero prime ideals of A, and e1 , . . . , en ∈ Z≥0 , then D[ e11 · · · enn ] D[ e11 ] ⊕ · · · ⊕ D[ enn ]. (b) If D is divisible, then for each fixed nonzero prime of A, the A/ e -module D[ e ] is free of rank independent of e. Proof. Localize to assume that A is a discrete valuation ring. Then (a) is trivial. In proving (b), we write also for a generator of . Since D[ ] is an A/ ∼ vector space, we can choose a free A-module F and an isomorphism i1 : −1 F/F → ∼ −e e D[ ]. We construct isomorphisms ie : F/F → D[ ] for all e ≥ 1 by induction: given the isomorphism ie , use divisibility of D to lift ie to a homomorphism
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
174
BJORN POONEN
ie+1 : −(e+1) F/F → D[ e+1 ] fitting in a commutative diagram with exact rows 0
/ −1 F/F
0
/ D[ ]
i1
/ −(e+1) F/F
/ −e F/F
/ D[ e ]
ie+1
/ D[ e+1 ]
/0
ie
The diagram shows that ie+1 is an isomorphism too.
/ 0.
Proposition 3.13. Let φ be a rank r Drinfeld module over an algebraically closed A-field L. (a) If I is an ideal of A such that charA L I, then the A/I-module φ[I](L) is free of rank r. The same holds even if L is only separably closed. (b) If charA L = p = 0, let h be the height of φ; then the A/pe -module φ[pe ](L) is free of rank r − h. Proof. When L is algebraically closed, φa : L → L is surjective for every nonzero a ∈ A. In other words, the A-module φ L is divisible. By Lemma 3.12, the claims for algebraically closed L follow if for each nonzero prime of A, there exists e ≥ 1 such that #(A/ e )r , if = charA L; e #φ[ ](L) = e r−h , if = charA L. #(A/ ) The class group of A is finite, so we may choose e so that e is principal, say generated by a. If = charA L, then φa is separable, so #φ[ e ](L) = deg φa = |a|r = #(A/a)r . If = charA L, then each zero of φa has multiplicity q m(a) = q hvp (a) = #(A/a)h , so #φ[ e ](L) = #(A/a)r−h . Now suppose that L is only separably closed, with algebraic closure L. If charA L I, the proof above shows that φ[I](L) consists of L-points, so the structure of φ[I](L) is the same. Corollary 3.14. If φ is a rank r Drinfeld module over any A-field L, and I is a nonzero ideal of A, then deg φI = #φ[I] = #(A/I)r . Proof. The underlying scheme of φ[I] is Spec L[x]/(φI (x)), so #φ[I] = deg φI . For the second equality, assume without loss of generality that L is algebraically closed. For a group scheme G, let G0 denote its connected component. Define m(I) := min{m(a) : a ∈ I − {0}}. If a ∈ A − {0}, then φ[a]0 = ker τ m(a) , so φ[I]0 = ker τ m(I) . Thus #φ[I]0 = q m(I) , which is multiplicative in I. On the other hand, Proposition 3.13 shows that #φ[I](L) is multiplicative in I. Thus the integers #φ[I] = #φ[I]0 · #φ[I](L) and #(A/I)r are both multiplicative in I. They are equal for any power of I that is principal, so they are equal for I. Corollary 3.15. Let φ be a rank 1 Drinfeld module over a field L of nonzero A-characteristic p. Then φp = τ deg p . Proof. Without loss of generality, L is algebraically closed. Since 0 < h ≤ r = 1, we have h = r = 1. By Proposition 3.13(b), φ[p](L) = 0. On the other hand, φp is monic, by the general definition of φI . The previous two sentences show that φp is a power of τ . By Corollary 3.14, deg φp = #(A/p) = q deg p = deg τ deg p , so φp = τ deg p .
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
INTRODUCTION TO DRINFELD MODULES
175
Corollary 3.16. In the context of Corollary 3.15, if p = (π) for some π ∈ A, then φπ = cτ deg p for some c ∈ L× . Proof. By definition, φp is the monic generator of the left ideal generated by {φa : a ∈ I}, which is the left ideal generated by φπ . 3.8. Tate modules. Let ⊂ A be a prime ideal not equal to 0 or charA L. Define the completions A := limn A/ n and K := Frac A . Let Ls be a separable ←− closure of L. Then the Tate module T φ := Hom(K /A , φ Ls ) is a free A -module of rank r. Its applications are analogous to those for elliptic curves: • The endomorphism ring End φ is a projective A-module of rank ≤ r 2 . In particular, if r = 1, then End φ = A and Aut φ = A× = F× q . • The Galois action on torsion points yields an -adic representation ρ : Gal(Ls /L) −→ AutA (T φ) GLr (A ). 4. Reduction theory 4.1. Drinfeld modules over rings. So far we considered Drinfeld modules over A-fields. One can also define Drinfeld modules over arbitrary A-algebras R or even A-schemes. In such generality, the underlying Fq -vector space scheme need only be locally isomorphic to Ga , so it could be the Fq -vector space scheme associated to a nontrivial line bundle on the base. To avoid this complication, let us assume that Pic R = 0; this holds if the Aalgebra R is a principal ideal domain, for instance. Then a Drinfeld A-module over R is given by a ring homomorphism A −→ End Ga,R = R{τ } a −→ φa such that φa (0) = a in R for all a ∈ A and l.c.(φa ) ∈ R× for all nonzero a ∈ A. The last requirement, which implies injectivity of φ (if R is nonzero), guarantees that for any maximal ideal m ⊂ R, reducing all the φa modulo m yields a Drinfeld module over R/m of the same rank. 4.2. Good and stable reduction. Let us now specialize to the following setting: R:
an A-discrete valuation ring
(a discrete valuation ring with a ring homomorphism A → R) m : the maximal ideal of R L := Frac R, the fraction field v : L → Z ∪ {+∞}, F := R/m, φ:
the discrete valuation
the residue field
a Drinfeld module over L of rank r ≥ 1.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
176
BJORN POONEN
Then • φ has good reduction if φ is isomorphic over L to a Drinfeld module over R, that is, if after replacing φ by an isomorphic Drinfeld module over L, all the φa have coefficients in R, and l.c.(φa ) ∈ R× for all nonzero a ∈ A. • φ has stable reduction if after replacing φ by an isomorphic Drinfeld module over L, all the φa have coefficients in R, and a → (φa mod m) is a Drinfeld module over F of positive rank. Example 4.1. Let A = Fq [T ]. A rank 2 Drinfeld module over L is determined by φT = T + c 1 τ + c2 τ 2 ; here c1 , c2 ∈ L and c2 = 0. Isomorphic Drinfeld modules are given by u−1 φT u = T + uq−1 c1 τ + uq
2
−1
c2 τ 2
for any u ∈ L× . The condition for stable reduction is satisfied if and only if 2 v(uq−1 c1 ) ≥ 0 and v(uq −1 c2 ) ≥ 0, with at least one of them being an equality. This condition uniquely specifies v(u) ∈ Q. An element u of this valuation might not exist in L, but u can be found in a suitable ramified finite extension of L. Theorem 4.2 (Potential stability). Let φ be a Drinfeld module over L of rank r ≥ 1. There exists a finite ramified extension L of L such that φ over L has stable reduction. Proof. Choose generators a1 , . . . , am of the ring A. As in Example 4.1, find L and u ∈ L of valuation “just right” so that all coefficients of u−1 φai u for all i have nonnegative valuation, and there exist i and j > 0 such that the coefficient of τ j in u−1 φai u has valuation 0. Corollary 4.3. Let φ be a rank 1 Drinfeld module over L. If there exists a ∈ A such that deg φa > 1 and l.c.(φa ) ∈ R× , then φ is a Drinfeld module over R. Note: Saying that φ is a Drinfeld module over R is stronger than saying that φ is isomorphic over L to a Drinfeld module over R, which would be saying that φ has good reduction. Proof. By enlarging R and L, we may assume that φ has stable reduction, so there exists u such that (u−1 φu) mod m is a Drinfeld module of positive rank. This reduction has rank at most the rank of φ, so it too has rank 1, so φa and (u−1 φa u) mod m have the same degree. Thus v(l.c.(φa )) and v(l.c.(u−1 φa u)) are 0, so v(udeg φa −1 ) = 0, so v(u) = 0. Now u−1 φu is a Drinfeld module of rank 1 over R, so φ is too. 5. Example: The Carlitz module The Drinfeld module analogue of Gm is the Carlitz module φ : A = Fq [T ] −→ K{τ } T −→ T + τ (i.e., φT (x) = T x + xq ). This is a Drinfeld module of rank 1 since deg φT = q = |T |1 .
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
INTRODUCTION TO DRINFELD MODULES
177
Define n
[n] := T q − T [n]! := [1] [2] · · · [n] n e(z) := z q /[n]! n≥0
% π := 1− n≥1
i :=
q−1
[n] [n + 1]
−[1]
∈ K∞
∈ C.
Carlitz [Car35], long before Drinfeld, proved that e induces an isomorphism C/πiA −→ (C with the Carlitz A-module action). ∼
This is analogous to exp : C/2πiZ → C× . Theorem 5.1 ([Car38, Theorem 9]). Fix a ∈ A with a = 0. Then K(φ[a]) is an abelian extension of K, and Gal(K(φ[a])/K) (A/a)× . ∼
Theorem 5.1 is analogous to Gal(Q(μn )/Q) → (Z/nZ)× , and can be proved in the same way. Theorem 5.2 (Analogue of Kronecker–Weber, implicit in [Hay74, §7] and [Dri74, §8]). Every abelian extension of K in which the place ∞ splits completely is contained in K(φ[a]) for some a. 6. Class field theory The theory of elliptic curves with complex multiplication leads to an explicit construction of the abelian extensions of an imaginary quadratic number field. In this section, we explain work of Drinfeld [Dri74] and Hayes [Hay79] that adapts this classical theory to construct the abelian extensions of an arbitrary global function field K = Frac A. 6.1. The class group. When A is not a principal ideal domain, class field theory is more complicated than Theorem 5.2 would suggest. Introduce the following notation: I := the group of nonzero fractional A-ideals in K P := {(c) : c ∈ K × }, Pic A := I/P,
the group of principal fractional A-ideals
the class group of A.
For a nonzero fractional ideal I, let [I] denote its class in Pic A. 6.2. Rank 1 Drinfeld modules over C. Proposition 6.1. We have bijections {rank 1 A-lattices in C} ∼ {rank 1 Drinfeld modules over C} −→ homothety isomorphism [I] −→ (homothety class of I in C) ∼
Pic A −→
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
178
BJORN POONEN
Proof. The second bijection comes from the r = 1 case of Theorem 3.11. Thus we need only consider the first map. Surjectivity: Any rank 1 A-lattice Λ in C can be scaled so that KΛ = K. Then Λ is a nonzero fractional ideal I. Injectivity: I is homothetic to I in C if and only if there exists c ∈ K × such that I = cI . Corollary 6.2. Every rank 1 Drinfeld module over C is isomorphic to one defined over K∞ . Proof. When the lattice Λ is contained in K∞ , the power series e and poly nomials φa constructed in Section 2 will have coefficients in K∞ . 6.3. The action of ideals on Drinfeld modules. The bijection between Pic A and the set of isomorphism classes of rank 1 Drinfeld modules over C is analytic, not canonical from the algebraic point of view. But a weaker form of this structure exists algebraically, as will be described in Theorem 6.5. Fix any A-field L. If I is a nonzero ideal of A and φ is a Drinfeld module over any A-field L, we can define a new Drinfeld module I ∗ φ over L isomorphic to the quotient of Ga by φ[I]; more precisely, there exists a unique Drinfeld module ψ over L such that φI : Ga → Ga is an isogeny φ → ψ, and we define I ∗ φ := ψ. Suppose that I = (a) for some nonzero a ∈ A. Then φI is φa made monic; that is, if u := l.c.(φa ), then φI = u−1 φa . Therefore φI is the composition φa
u−1
φ −→ φ −→ u−1 φu, so (a) ∗ φ = u−1 φu, which is isomorphic to φ, but not necessarily equal to φ. This suggests that we define (a−1 ) ∗ φ = uφu−1 . Finally, every I ∈ I is (a−1 )J for some a ∈ A − {0} and integral ideal J, and we define I ∗ φ = u(J ∗ φ)u−1 . The following is now easy to check: Proposition 6.3. The operation ∗ defines an action of I on the set of Drinfeld modules over L. It induces an action of Pic A on the set of isomorphism classes of Drinfeld modules over L. Example 6.4. Suppose that φ is over C, and I is a nonzero integral ideal of A. If we identify φ analytically with C/Λ, then φ[I] I −1 Λ/Λ, so I ∗ (C/Λ) (C/Λ)/(I −1 Λ/Λ) C/I −1 Λ. Let Y (C) be the set of isomorphism classes of rank 1 Drinfeld A-modules over C. Theorem 6.5. The set Y (C) is a principal homogeneous space under the action of Pic A. Proof. This follows from Proposition 6.1 and the calculation in Example 6.4 showing that the corresponding action of I on lattices is by multiplication by I −1 . 6.4. Sgn-normalized Drinfeld modules. We will eventually construct abelian extensions of a global function field K by adjoining the coefficients appearing in rank 1 Drinfeld modules. For this, it will be important to have actual Drinfeld modules, and not just isomorphism classes of Drinfeld modules. Therefore we will choose a (not quite unique) “normalized” representative of each isomorphism class.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
INTRODUCTION TO DRINFELD MODULES
179
Let F∞ be the residue field of ∞ ∈ X. Since ∞ is a closed point, F∞ is a finite extension of Fq . A choice of uniformizer π ∈ K∞ defines an isomorphism K∞ F∞ ((π)), and we define sgn as the composition ∼
l.c.
× → F∞ ((π))× F× K∞ ∞.
The function sgn is an analogue of the classical sign function sgn : R× → {±1}. From now on, we fix (A, sgn). Definition 6.6. A rank 1 Drinfeld module φ over L is sgn-normalized if there exists an Fq -algebra homomorphism η : F∞ → L such that l.c.(φa ) = η(sgn a) for all nonzero a ∈ A. Example 6.7. Suppose that A = Fq [T ] and sgn(1/T ) = 1. For a Drinfeld A-module φ over L, the following are equivalent: • φ is sgn-normalized; • l.c.(φT ) = 1; • φT = T + τ (the Carlitz module). Theorem 6.8. Every rank 1 Drinfeld module φ over C is isomorphic to a sgn-normalized Drinfeld module. More precisely, the set of sgn-normalized Drinfeld × modules isomorphic to φ is a principal homogeneous space under F× ∞ /Fq . Proof. When A is generated over Fq by one element T , then it suffices to choose u so that u−1 φT u is monic. The idea in general is that even if A is not generated by one element, its completion will be (topologically). First, extend φ to a homomorphism K → C((τ −1 )) as in the proof of Proposition 3.5. The induced valuation on K is v∞ , so there exists a unique extension to a continuous homomorphism K∞ → C((τ −1 )), which we again denote by a → φa . Also, l.c. extends to a map C((τ −1 ))× → C × (not a homomorphism). Let π ∈ K∞ be a uniformizer with sgn(π) = 1. Replacing φ by u−1 φu multiplies l.c.(φπ ) by u|π|−1 , so we can choose u ∈ C × to make l.c.(φπ ) = 1. We claim that the new φ is sgn-normalized. Define η : F∞ → C by η(c) := × , with c ∈ F∞ and n ∈ Z, we have l.c.(φc ). For any a = cπ n ∈ K∞ l.c.(φa ) = l.c.(φc φnπ ) = l.c.(φc ) = η(c) = η(sgn a), as required. The u was determined up to a (#F∞ −1)th root of unity, but Aut φ = A× = F× q , so u−1 φu depends only on the image of u modulo F× q . This explains the principal homogeneous space claim. Introduce the following notation: Y + (L) := the set of sgn-normalized rank 1 Drinfeld A-modules over L P + := {(c) : c ∈ K × and sgn c = 1} ⊆ P Pic+ A := I/P + ,
the narrow class group of A.
Lemma 6.9. If φ ∈ Y + (L), then StabI φ = P + . Proof. The following are equivalent for a nonzero integral ideal I not divisible by charA φ: • I ∗ φ = φ; • φI φa = φa φI for all a ∈ A;
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
180
BJORN POONEN
• φI ∈ End φ; • φI ∈ A; • φI = φb for some b ∈ A. In particular, if I is an integral ideal in P + , then I = (b) for some b ∈ A with sgn b = 1, so φI = φb , so I ∈ StabI φ. Using weak approximation, one can show that the integral ideals in P + generate the group P + , and that a general ideal I can be multiplied by an ideal in P + to make it integral and not divisible by charA φ. Thus it remains to show that when I is an integral ideal not divisible by charA φ, the condition φI = φb implies I ∈ P + . Suppose that φI = φb . Taking kernels yields φ[I] = φ[b]. Since charA φ I, the group scheme φ[I] is reduced, so charA φ b. By Proposition 3.13, I = AnnA φ[I] = AnnA φ[b] = (b). Also, η(sgn b) = l.c.(φb ) = l.c.(φI ) = 1, so sgn b = 1. Thus I ∈ P + . Theorem 6.10. The action of I on Drinfeld modules makes Y + (C) a principal homogeneous space under Pic+ A. Proof. Lemma 6.9 implies that Y + (C) is a disjoint union of principal homogeneous spaces under Pic+ A, so it suffices to check that Y + (C) and # Pic+ A are finite sets of the same size. Theorems 6.8 and 6.5 imply × × × #Y + (C) = #Y (C) · #(F× ∞ /Fq ) = # Pic A · #(F∞ /Fq ).
On the other hand, the exact sequence 1 −→ P/P + −→ I/P + −→ I/P −→ 1 ∼
× and the isomorphism P/P + → F× ∞ /Fq induced by sgn show that × # Pic+ A = # Pic A · #(F× ∞ /Fq ).
6.5. The narrow Hilbert class field. Choose φ ∈ Y + (C). Define H + := K(all coefficients of φa for all a ∈ A) ⊆ C. Then φ is a Drinfeld module over H + , and so is I∗φ for any I ∈ I. By Theorem 6.10, these are all the objects in Y + (C), so H + is also the extension of K generated by the coefficients of φa for all φ ∈ Y + (C) and all a ∈ A. In particular, H + is independent of the choice of φ. It is called the narrow Hilbert class field of (A, sgn). Theorem 6.11. (a) The field H + is a finite abelian extension of K. (b) The extension H + ⊇ K is unramified above every finite place (“finite” means not ∞). (c) We have Gal(H + /K) Pic+ A. Proof. (a) The group Aut(C/K) acts on Y + (C), so it maps H + to itself. Also, H + is finitely generated over K. These imply that H + is a finite normal extension of K. By Corollary 6.2, each rank 1 Drinfeld module over C is isomorphic to one over K∞ , and it can be made sgn-normalized over the field F obtained by adjoining to K∞ the (#F∞ −1)th root of some element. Then H + ⊂ F . On the other hand, the extensions K ⊆ K∞ ⊆ F are separable, so H + is separable over K.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
INTRODUCTION TO DRINFELD MODULES
181
The automorphism group of Y + (C) as a principal homogeneous space under Pic+ A equals Pic+ A, so we have an injective homomorphism χ : Gal(H + /K) → Aut Y + (C) Pic+ A. Thus Gal(H + /K) is a finite abelian group. (b) Let B + be the integral closure of A in H + . Let P ⊂ B + be a nonzero prime ideal, lying above p ⊂ A. Let FP = B + /P . By Corollary 4.3, each φ ∈ Y + (H + ) = Y + (C) is a Drinfeld module over the localization BP+ , so there is a reduction map ρ : Y + (H + ) → Y + (FP ). By Lemma 6.9, Pic+ A acts faithfully on the source and target. Moreover, the map ρ is (Pic+ A)-equivariant, and Y + (H + ) is a principal homogeneous space under Pic+ A by Theorem 6.10, so ρ is injective. If an automorphism σ ∈ Gal(H + /K) belongs to the inertia group at P , then σ acts trivially on Y + (FP ), so σ acts trivially on Y + (H + ), so σ = 1. Thus H + ⊇ K is unramified at P . (c) Let Frobp := FrobP ∈ Gal(FP /Fp ) → Gal(H + /K) be the Frobenius automorphism. The key point is the formula Frobp φ = p ∗ φ for any φ ∈ Y + (FP ); let us now prove this. By definition, if ψ := p ∗ φ, then ψa φp = φp φa for all a ∈ A. By Corollary 3.15, φp = τ deg p , so ψa τ deg p = τ deg p φa . Compare coefficients; since τ deg p acts on FP as Frobp , we obtain ψ = Frobp φ. Since Y + (H + ) → Y + (FP ) is injective and (Pic+ A)-equivariant, it follows that Frobp acts on Y + (H + ) too as φ → p∗φ. Thus χ : Gal(H + /K) → Pic+ A maps Frobp to the class of p in Pic+ A. Such classes generate Pic+ A, so χ is surjective. 6.6. The Hilbert class field. Because of the exact sequence 0 −→ P/P + −→ Pic+ A −→ Pic A −→ 0, the extension H + ⊇ K decomposes into two abelian extensions H+ P/P +
H Pic A
K with Galois groups as shown. The map of sets Y + (C) Y (C) is compatible with the surjection of groups Pic+ A Pic A acting on the sets. By Corollary 6.2, each element of Y (C) is represented by a Drinfeld module over K∞ , so the decomposition group D∞ ⊆ Gal(H + /K) acts trivially on Y (C). Thus D∞ ⊆ P/P + . In other words, ∞ splits completely in H ⊇ K. The Hilbert class field HA of A is defined as the maximal unramified abelian extension of K in which ∞ splits completely. Thus H ⊆ HA . On the other hand,
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
182
BJORN POONEN
Gal(H/K) Pic A Gal(HA /K), the latter isomorphism coming from class field theory. Hence H = HA . 6.7. Ray class fields. In this section, we generalize the constructions to obtain all the abelian extensions of K, even the ramified ones. Introduce the following notation: m : a nonzero ideal of A Im := the subgroup of I generated by primes not dividing m Pm := {(c) : c ∈ K and c ≡ 1 mod m} + := {(c) : c ∈ K and sgn c = 1 and c ≡ 1 mod m} Pm
Picm A := Im /Pm , the ray class group modulo m of A + Pic+ m A := Im /Pm , the narrow ray class group modulo m of (A, sgn)
Ym+ (C) := {(φ, λ) : φ ∈ Y + (C) and λ generates the A/m-module φ[m](C)} + := H + (λ) for any (φ, λ) ∈ Ym+ (C) Hm
(the narrow ray class field modulo m of (A, sgn)) + + Hm := the subfield of Hm fixed by Pm /Pm
(the ray class field modulo m of A). Arguments similar to those in previous sections show the following: Theorem 6.12. (a) There is an action of Im on Ym+ (C) making Ym+ (C) a principal homogeneous space under Pic+ m A. + is a finite abelian extension of K, unramified outside m, and (b) The field Hm + /K) Pic+ Gal(Hm m A. (c) The extension Hm is the ray class field modulo m of A as classically defined, with Gal(Hm /K) Picm A. 2 6.8. The maximal abelian extension. Theorem 6.12 implies that m Hm equals K ab,∞ , the maximal abelian extension of K in which ∞ splits completely. Finally, if ∞ is a second closed point of X, then the compositum K ab,∞ K ab,∞ is the maximal abelian extension of K. 6.9. Example of an explicit Hilbert class field. We follow [Hay91, Example 3]; see [Hay91, DH94] for other examples similar to this one. Let q = 2. Let X be the elliptic curve over F2 associated to the equation y 2 + y = x3 . Let ∞ be the point at infinity on X. Then A = F2 [x, y]/(y 2 + y − x3 ). + × Since F× F× ∞ = {1}, there is only one possible sgn, and P/P ∞ /Fq {1}, so + 0 + Pic A Pic A Pic X X(F2 ), which is of order 3. Thus H = H and [H : K] = 3. Our goal is to use Drinfeld modules to find an explicit equation defining H as an extension of K. By definition, to give a sgn-normalized rank 1 Drinfeld A-module over a given field extension L of K is to give elements a, c1 , c2 ∈ L such that the elements φx = x + aT + T 2 φy = y + c 1 T + c 2 T 2 + T 3
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
INTRODUCTION TO DRINFELD MODULES
183
of L{τ } satisfy φx φy = φy φx and φ2y + φy = φ3x . In fact, the second condition is redundant: if φx commutes with φy , then φx commutes with φ2y + φy − φ3x , but in L{τ } if an element with nonzero constant term commutes with an element with zero constant term, the second element is 0, as one sees by equating coefficients. Thus the only condition is φx φy = φy φx , which amounts to the system xc1 + ay 2 = ay + c1 x2 xc2 + ac21 + y 4 = y + c1 a2 + c2 x4 x + ac22 + c41 = c1 + c2 a4 + x8 a + c42 = c2 + a8 in the unknowns a, c1 , c2 . The first two equations let us eliminate c1 and c2 in turn (remember that x and y are constants in K), so we are left with two polynomials in K[a] that must vanish. Their gcd turns out to be a3 +(x2 +x)a2 +(x+1)2 a+(x+1)4 , so H is the extension of K generated by a root of this cubic polynomial. Remark 6.13. One could also find an equation for H by working analytically, just as one can use lattices in C to compute CM j-invariants numerically. In both settings, the result can be made rigorous by invoking integrality properties. Remark 6.14. Yet another way to find H would be to use geometric class field theory: Let F be the Frobenius endomorphism of X; then the extension of function F −1 fields H ⊇ K arises from the finite ´etale covering X −→ X. Similar calculations can be done when deg ∞ > 1, but they are more complicated. 7. Drinfeld modular varieties 7.1. Classical modular curves. The classical modular curve Y (1) is a coarse moduli space whose points over any algebraically closed field k are in bijection with isomorphism classes of elliptic curves over k. Over C, the analytic description of elliptic curves as C/Λ with Λ = Zτ + Z for some τ ∈ C − R shows that Y (1)(C) Γ\Ω where Ω := C − R (the union of the upper and lower half planes in C) and Γ := GL2 (Z). (Equivalently, one could replace Ω with the upper half plane, and Γ by the index-2 subgroup SL2 (Z), but our formulation will be easier to adapt.) Similarly, the modular curve Y1 (N ) is a coarse moduli space whose k-points over any algebraically closed field k of characteristic not dividing N are in bijection with isomorphism classes of pairs (E, P ) where E is an elliptic curve over k, and P ∈ E(k) is a point of exact order N . One can extend this description to define a functor on Z[1/N ]-schemes, and this functor is representable by a smooth relative affine curve over Z[1/N ] once N ≥ 4. Over C, one has Y1 (N )(C) Γ1 (N )\Ω & ' 1 ∗ ∈ GL2 (Z) . 0 ∗ (Since we are working in GL2 (Z) instead of SL2 (Z), it is not OK to replace the lower right * with 1.) where
Γ1 (N ) :=
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
184
BJORN POONEN
7.2. Drinfeld modular curves. Elliptic curves over C are described analytically by rank 2 lattices, so elliptic curves are analogous to rank 2 Drinfeld modules. Drinfeld modular curves classify rank 2 Drinfeld modules with level structure. For simplicity, let us assume that A = Fq [T ]. Each rank 2 Drinfeld module has the form φ(a,b) : A −→ L{τ } T −→ T + aτ + bτ 2
for some a ∈ L and b ∈ L× . The definition of morphism shows that φ(a,b) φ(a ,b ) 2 if and only if there exists u ∈ L× such that a = uq−1 a and b = uq −1 b. So j := aq+1 /b is invariant under isomorphism, like the j-invariant of an elliptic curve. The Drinfeld modular curve Y (1) classifying rank 2 Drinfeld modules without level structure is a coarse moduli space isomorphic to A1 with coordinate j. Analytically, Y (1)(C) Γ\Ω where Ω := C − K∞ (the Drinfeld upper half plane) and Γ := GL2 (A). Similarly, for each nonzero n ∈ A, the Drinfeld modular curve Y1 (n) classifies rank 2 Drinfeld modules equipped with a torsion point of exact order n. One can make this more precise by specifying a functor on A[1/n]-schemes. The functor is representable by a smooth relative curve over A[1/n] when n is nonconstant. Example 7.1. Let us describe Y1 (T 2 ) explicitly. First consider triples (a, b, z) where φT 2 (z) = 0 and φT (z) = 0. These are described by the equations φT (z) = y and φT (y) = 0 with y = 0. In other words, 2
T z + az q + bz q = y T + ay q−1 + by q
2
−1
= 0.
Eliminating y rewrites this system as the single equation 2
2
T + a(T z + az q + bz q )q−1 + b(T z + az q + bz q )q
2
−1
= 0.
Another triple (a , b , z ) gives rise to an isomorphic Drinfeld module with torsion 2 point if and only if there exists an invertible u such that a = uq−1 a, b = uq −1 b, z = u−1 z. So Y1 (T 2 ) is the quotient of the above affine scheme by an action of Gm . The quotient can be obtained simply by setting z = 1, to obtain T + a(T + a + b)q−1 + b(T + a + b)q
2
−1
= 0.
So Y1 (T 2 ) is the relative curve defined by this equation in A2A[1/T ] = Spec A[1/T ][a, b]. For much more on Drinfeld modular curves, see [Gek86]. 7.3. Drinfeld modular varieties and stacks. More generally, given any r ≥ 1 and nonzero ideal n ≤ A, Drinfeld [Dri74, §5] defined the notion of (full) level n structure on a rank r Drinfeld A-module, and he proved that the functor A-schemes −→ Sets S −→ {Drinfeld A-modules over S with level n structure}/isomorphism is representable by an A-scheme Y , provided that n is not too small (Drinfeld assumes that n is divisible by at least two distinct primes of A). Applying deformation theory to analogues of formal groups and p-divisible groups, he proved also
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
INTRODUCTION TO DRINFELD MODULES
185
that Y → Spec A, after removing the fibers above primes dividing n, is smooth of relative dimension r − 1. Without any restriction on n, one can define a moduli stack Y and take its coarse space Y . Like classical modular curves and Shimura varieties, these can also be compactified. Example 7.2 ([Dri74, §8]). Suppose that r = 1 and n = (1) (no level structure). Then Y is of relative dimension 0 over Spec A, and its coarse space Y is a finite A-scheme. • For A = Fq [T ], there is only one rank 1 Drinfeld module over C up to isomorphism (the Carlitz module). We have Y = Spec A. • For more general A, define H := the Hilbert class field of A OH := the integral closure of A in H. Then Y = Spec OH , so we have bijections Y (C) ←→ {A-embeddings OH → C} ←→ {K-embeddings H → C}. These are principal homogeneous spaces under Pic A Gal(H/K), in accordance with Theorem 6.5. Acknowledgments I thank Francesc Fit´e and the referees for comments. References [And86]
Greg W. Anderson, t-motives, Duke Math. J. 53 (1986), no. 2, 457–502, DOI 10.1215/S0012-7094-86-05328-7. MR850546 ↑172 [Car35] Leonard Carlitz, On certain functions connected with polynomials in a Galois field, Duke Math. J. 1 (1935), no. 2, 137–168, DOI 10.1215/S0012-7094-35-001144. MR1545872 ↑177 [Car38] Leonard Carlitz, A class of polynomials, Trans. Amer. Math. Soc. 43 (1938), no. 2, 167–182, DOI 10.2307/1990037. MR1501937 ↑177 [DH87] Pierre Deligne and Dale Husemoller, Survey of Drinfeld modules, Current trends in arithmetical algebraic geometry (Arcata, Calif., 1985), Contemp. Math., vol. 67, Amer. Math. Soc., Providence, RI, 1987, pp. 25–91, DOI 10.1090/conm/067/902591. MR902591 ↑167 [Dri74] V. G. Drinfeld, Elliptic modules (Russian), Mat. Sb. (N.S.) 94(136) (1974), 594– 627, 656. MR0384707 ↑167, 177, 184, 185 [Dri77] V. G. Drinfeld, Elliptic modules. II (Russian), Mat. Sb. (N.S.) 102(144) (1977), no. 2, 182–194, 325. MR0439758 ↑167 [DH94] D. S. Dummit and David Hayes, Rank-one Drinfeld modules on elliptic curves, Math. Comp. 62 (1994), no. 206, 875–883, DOI 10.2307/2153547. With microfiche supplement. MR1218342 ↑182 [Gek83] Ernst-Ulrich Gekeler, Zur Arithmetik von Drinfeld-Moduln (German), Math. Ann. 262 (1983), no. 2, 167–182, DOI 10.1007/BF01455309. MR690193 ↑172 [Gek86] Ernst-Ulrich Gekeler, Drinfeld modular curves, Lecture Notes in Mathematics, vol. 1231, Springer-Verlag, Berlin, 1986, DOI 10.1007/BFb0072692. MR874338 ↑184 [Gek91] Ernst-Ulrich Gekeler, On finite Drinfeld modules, J. Algebra 141 (1991), no. 1, 187–203, DOI 10.1016/0021-8693(91)90211-P. MR1118323 ↑172 [GvdPRVG97] E.-U. Gekeler, M. van der Put, M. Reversat, and J. Van Geel (eds.), Drinfeld modules, modular schemes and applications, World Scientific Publishing Co., Inc., River Edge, NJ, 1997. MR1630594 ↑167
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
186
[Gos96]
[GHR92]
[Hay74] [Hay79]
[Hay91] [Hay92]
[Lau96]
[Lau97]
[Ros02]
[Sil09]
[Tha04]
BJORN POONEN
David Goss, Basic structures of function field arithmetic, Ergebnisse der Mathematik und ihrer Grenzgebiete (3) [Results in Mathematics and Related Areas (3)], vol. 35, Springer-Verlag, Berlin, 1996, DOI 10.1007/978-3-642-61480-4. MR1423131 ↑167 David Goss, David R. Hayes, and Michael I. Rosen (eds.), The arithmetic of function fields, Ohio State University Mathematical Research Institute Publications, vol. 2, Walter de Gruyter & Co., Berlin, 1992, DOI 10.1515/9783110886153. MR1196508 ↑167 D. R. Hayes, Explicit class field theory for rational function fields, Trans. Amer. Math. Soc. 189 (1974), 77–91, DOI 10.2307/1996848. MR330106 ↑177 David R. Hayes, Explicit class field theory in global function fields, Studies in algebra and number theory, Adv. in Math. Suppl. Stud., vol. 6, Academic Press, New York-London, 1979, pp. 173–217. MR535766 ↑177 David R. Hayes, On the reduction of rank-one Drinfeld modules, Math. Comp. 57 (1991), no. 195, 339–349, DOI 10.2307/2938678. MR1079021 ↑182 David R. Hayes, A brief introduction to Drinfeld modules, The arithmetic of function fields (Columbus, OH, 1991), Ohio State Univ. Math. Res. Inst. Publ., vol. 2, de Gruyter, Berlin, 1992, pp. 1–32. MR1196509 ↑167 G´ erard Laumon, Cohomology of Drinfeld modular varieties. Part I, Cambridge Studies in Advanced Mathematics, vol. 41, Cambridge University Press, Cambridge, 1996. Geometry, counting of points and local harmonic analysis. MR1381898 ↑167 G´ erard Laumon, Cohomology of Drinfeld modular varieties. Part II, Cambridge Studies in Advanced Mathematics, vol. 56, Cambridge University Press, Cambridge, 1997. Automorphic forms, trace formulas and Langlands correspondence; With an appendix by Jean-Loup Waldspurger, DOI 10.1017/CBO9780511661969. MR1439250 ↑167 Michael Rosen, Number theory in function fields, Graduate Texts in Mathematics, vol. 210, Springer-Verlag, New York, 2002, DOI 10.1007/978-1-4757-6046-0. MR1876657 ↑167 Joseph H. Silverman, The arithmetic of elliptic curves, 2nd ed., Graduate Texts in Mathematics, vol. 106, Springer, Dordrecht, 2009, DOI 10.1007/978-0-387-09494-6. MR2514094 ↑168 Dinesh S. Thakur, Function field arithmetic, World Scientific Publishing Co., Inc., River Edge, NJ, 2004, DOI 10.1142/9789812562388. MR2091265 ↑167
Department of Mathematics, Massachusetts Institute of Technology, Cambridge, Massachusetts 02139-4307 Email address: [email protected] URL: http://math.mit.edu/~poonen/
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
Selected Published Titles in This Series 779 Samuele Anni, Valentijn Karemaker, and Elisa Lorenzo Garc´ıa, Editors, Arithmetic, Geometry, Cryptography, and Coding Theory 2021, 2022 778 Carlos Galindo, Alejandro Melle Hern´ andez, Julio Jos´ e Moyano-Fern´ andez, and Wilson A. Z´ un ˜iga-Galindo, Editors, p-Adic Analysis, Arithmetic and Singularities, 2022 777 Bang-Yen Chen, Nicholas D. Brubaker, Takashi Sakai, Bogdan D. Suceav˘ a, Makiko Sumi Tanaka, Hiroshi Tamaru, and Mihaela B. Vajiac, Editors, Differential Geometry and Global Analysis, 2022 776 Aaron Wootton, S. Allen Broughton, and Jennifer Paulhus, Editors, Automorphisms of Riemann Surfaces, Subgroups of Mapping Class Groups and Related Topics, 2022 775 Fernando Galaz-Garc´ıa, Cecilia Gonz´ alez-Tokman, and Juan Carlos Pardo Mill´ an, Editors, Mexican Mathematicians in the World, 2021 774 Randall J. Swift, Alan Krinik, Jennifer M. Switkes, and Jason H. Park, Editors, Stochastic Processes and Functional Analysis, 2021 773 Nicholas R. Baeth, Thiago H. Freitas, Graham J. Leuschke, and Victor H. Jorge P´ erez, Editors, Commutative Algebra, 2021 772 Anatoly M. Vershik, Victor M. Buchstaber, and Andrey V. Malyutin, Editors, Topology, Geometry, and Dynamics, 2021 771 Nicol´ as Andruskiewitsch, Gongxiang Liu, Susan Montgomery, and Yinhuo Zhang, Editors, Hopf Algebras, Tensor Categories and Related Topics, 2021 770 St´ ephane Ballet, Gaetan Bisson, and Irene Bouw, Editors, Arithmetic, Geometry, Cryptography and Coding Theory, 2021 769 Kiyoshi Igusa, Alex Martsinkovsky, and Gordana Todorov, Editors, Representations of Algebras, Geometry and Physics, 2021 768 Draˇ zen Adamovi´ c, Andrej Dujella, Antun Milas, and Pavle Pandˇ zi´ c, Editors, Lie Groups, Number Theory, and Vertex Algebras, 2021 767 Moshe Jarden and Tony Shaska, Editors, Abelian Varieties and Number Theory, 2021 766 Paola Comparin, Eduardo Esteves, Herbert Lange, Sebasti´ an Reyes-Carocca, and Rub´ı E. Rodr´ıguez, Editors, Geometry at the Frontier, 2021 765 Michael Aschbacher, Quaternion Fusion Packets, 2021 764 Gabriel Cunningham, Mark Mixer, and Egon Schulte, Editors, Polytopes and Discrete Geometry, 2021 763 Tyler J. Jarvis and Nathan Priddis, Editors, Singularities, Mirror Symmetry, and the Gauged Linear Sigma Model, 2021 762 Atsushi Ichino and Kartik Prasanna, Periods of Quaternionic Shimura Varieties. I., 2021 761 Ibrahim Assem, Christof Geiß, and Sonia Trepode, Editors, Advances in Representation Theory of Algebras, 2021 760 Olivier Collin, Stefan Friedl, Cameron Gordon, Stephan Tillmann, and Liam Watson, Editors, Characters in Low-Dimensional Topology, 2020 759 Omayra Ortega, Emille Davie Lawrence, and Edray Herber Goins, Editors, The Golden Anniversary Celebration of the National Association of Mathematicians, 2020 ˇˇ tov´ıˇ cek and Jan Trlifaj, Editors, Representation Theory and Beyond, 2020 758 Jan S 757 Ka¨ıs Ammari and St´ ephane Gerbi, Editors, Identification and Control: Some New Challenges, 2020 756 Joeri Van der Veken, Alfonso Carriazo, Ivko Dimitri´ c, Yun Myung Oh, Bogdan D. Suceav˘ a, and Luc Vrancken, Editors, Geometry of Submanifolds, 2020
For a complete list of titles in this series, visit the AMS Bookstore at www.ams.org/bookstore/conmseries/.
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
CONM
779
ISBN 978-1-4704-6794-4
9 781470 467944 CONM/779 Licensed to AMS. License or copyright restrictions may apply to redistribution; see https://www.ams.org/publications/ebooks/terms
AGC2T 2021 • Anni et al., Editors
This volume contains the proceedings of the 18th International Conference on Arithmetic, Geometry, Cryptography, and Coding Theory, held (online) from May 31 to June 4, 2021. For over thirty years, the biennial international conference AGC2 T (Arithmetic, Geometry, Cryptography, and Coding Theory) has brought researchers together to forge connections between arithmetic geometry and its applications to coding theory and to cryptography. The papers illustrate the fruitful interaction between abstract theory and explicit computations, covering a large range of topics, including Belyi maps, Galois representations attached to elliptic curves, reconstruction of curves from their Jacobians, isogeny graphs of abelian varieties, hypergeometric equations, and Drinfeld modules.